5

I have setup my own performance counter data collector. It was running for a while and now I want to edit it. Upon clicking OK it asks me to enter credentials for NT AUTHORITY\SYSTEM! WTH? Obviously I don't know these and I don't think there even is any password! enter image description here

I can create new data collector set but any time I try to edit some it asks me for this and I can't save the changes.

EDIT: I am talking about my work laptop with Windows 10 Enterprise build 1903. I am using it as any other person - having AzureAD account which is also member of local administrators group. My home pc where I noticed the same behavior is Windows 10 Pro build 1903. There I am logged on with a local user account which is member of Administrators group.

Vitas
  • 1,027

2 Answers2

6

So I don't know what causes it but seems like I found a solution/workaround: whenever it asks me for those credentials, I just delete the value from login and submit empty values and this works...

Vitas
  • 1,027
1

I remark that NT AUTHORITY\SYSTEM has no password, so an empty password is the correct entry for that prompt.

I can only conjuncture that your domain account ended up not being member of the local groups of Performance Log Users and/or Performance Monitor Users, so probably is not a full local Administrator.

These groups are defined as:

  • Performance Log Users
    Members of this group can manage performance counters, logs, and alerts on a computer — both locally and from remote clients — without being a member of the Administrators group.

  • Performance Monitor Users
    Members of this group can monitor performance counters on a computer — locally and from remote clients — without being a member of the Administrators group or the Performance Log Users groups.

This same problem was discussed in the post Permissions Issue with Files Generated by PerfMon, where it was said:

Data Collector Sets can contain sensitive information about the computer, so access to them typically requires the user at least be a member of the Performance Log Users group.

The solution there, actually a workaround, was to create a scheduled task that will fire when the Data Collector Set finishes running, to modify the ACLs of the directory structure recursively to "Everyone Full Control".

There was a problem with creating a trigger for the job, which then required a Custom trigger entered manually as XML:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
    <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]
         and
        *[System[(EventID='102')]]
         and
        *[EventData[Data and (Data='YOUR DATA COLLECTOR SET NAME')]] 
    </Select>
  </Query>
</QueryList>

The trigger launched this PowerShell script:

$Path = "C:\PerfLogs\Admin\New Data Collector Set"
$ACL  = (Get-Item $Path).GetAccessControl("Access")
$ACE  = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($ACE)
ForEach($_ In Get-ChildItem $Path -Recurse)
{
    Set-Acl -ACLObject $ACL $_.FullName
}

This solution is complicated, so it might be simpler to just continue entering an empty password when prompted.

harrymc
  • 498,455