perfmon asks me for NT AUTHORITY\SYSTEM credentials

Question

I have setup my own performance counter data collector. It was running for a while and now I want to edit it. Upon clicking OK it asks me to enter credentials for NT AUTHORITY\SYSTEM! WTH? Obviously I don't know these and I don't think there even is any password!

I can create new data collector set but any time I try to edit some it asks me for this and I can't save the changes.

EDIT: I am talking about my work laptop with Windows 10 Enterprise build 1903. I am using it as any other person - having AzureAD account which is also member of local administrators group. My home pc where I noticed the same behavior is Windows 10 Pro build 1903. There I am logged on with a local user account which is member of Administrators group.

Please add to your question what version of Windows you're running. Are you using a domain account and is your user apart of the `Administrators` group? _(`SYSTEM`, as you likely know, has no credentials)_ — JW0914, Dec 03 '19 at 13:04
Question edited. And yes, I DID say that I don't think there even is any password for system, so that's why I think this behavior is really weird! Don't you agree? — Vitas, Dec 03 '19 at 20:13
you mean start the collector set via scheduled task? No. I just click start, type perfmon and there I can create collector sets, but any time I edit them it prompts me like that — Vitas, Dec 08 '19 at 18:01
What I have found: 1. This behavior appeared after kb4525236 2. Both logman and perfmon by default create a data collector set with "NT AUTHORITY/SYSTEM" account, but when, as you suggested, you remove username and password it changes to "SYSTEM" — Dmitry Trukhanov, Dec 16 '19 at 09:11

score 6 · Answer 1 · answered Dec 03 '19 at 12:37

6

So I don't know what causes it but seems like I found a solution/workaround: whenever it asks me for those credentials, I just delete the value from login and submit empty values and this works...

answered Dec 03 '19 at 12:37

Vitas

881
4
15
30

it happened on my other PC as well! Please test and tell me if you notice the same behavior. Maybe some recent patch caused it – Vitas Dec 03 '19 at 19:55
Just to remark that NT AUTHORITY\SYSTEM *has no password*. – harrymc Dec 09 '19 at 08:21
1

haha, yes, windows! Delete the user name entirely. – edencorbin Feb 11 '20 at 04:21

score 1 · Answer 2 · answered Dec 09 '19 at 08:56

I remark that NT AUTHORITY\SYSTEM has no password, so an empty password is the correct entry for that prompt.

I can only conjuncture that your domain account ended up not being member of the local groups of Performance Log Users and/or Performance Monitor Users, so probably is not a full local Administrator.

These groups are defined as:

Performance Log Users
Members of this group can manage performance counters, logs, and alerts on a computer — both locally and from remote clients — without being a member of the Administrators group.
Performance Monitor Users
Members of this group can monitor performance counters on a computer — locally and from remote clients — without being a member of the Administrators group or the Performance Log Users groups.

This same problem was discussed in the post Permissions Issue with Files Generated by PerfMon, where it was said:

Data Collector Sets can contain sensitive information about the computer, so access to them typically requires the user at least be a member of the Performance Log Users group.

The solution there, actually a workaround, was to create a scheduled task that will fire when the Data Collector Set finishes running, to modify the ACLs of the directory structure recursively to "Everyone Full Control".

There was a problem with creating a trigger for the job, which then required a Custom trigger entered manually as XML:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
    <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]
         and
        *[System[(EventID='102')]]
         and
        *[EventData[Data and (Data='YOUR DATA COLLECTOR SET NAME')]] 
    </Select>
  </Query>
</QueryList>

The trigger launched this PowerShell script:

$Path = "C:\PerfLogs\Admin\New Data Collector Set"
$ACL  = (Get-Item $Path).GetAccessControl("Access")
$ACE  = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($ACE)
ForEach($_ In Get-ChildItem $Path -Recurse)
{
    Set-Acl -ACLObject $ACL $_.FullName
}

This solution is complicated, so it might be simpler to just continue entering an empty password when prompted.

actually I cannot submit it with empty password. If I do it says wrong password. I have to delete the login as well and only that way it works - to submit both fields empty. Do you confirm that if you open properties of a collector set, change the interval value for example and click OK then it saves without questions? — Vitas, Dec 09 '19 at 20:07
I can't confirm it, since I'm not in a position to duplicate the problem. — harrymc, Dec 09 '19 at 21:09
what position do you mean? Do you have a windows 10 computer? That's all you need to test this — Vitas, Dec 13 '19 at 15:37

perfmon asks me for NT AUTHORITY\SYSTEM credentials

2 Answers2