Question "Backup Operators" Group ?

Toggle sidebar Toggle sidebar
The Guy From The Thing

The Guy From The Thing

Great
May 1, 2023
194
7
95
in Event Viewer, whenever Event 4799 occurs it always happens twice in the same second (once with the Administrator group, and once with the BackupOperators group)


the Domain is listed as "BuiltIn" which I assume just means it's a built in group of the system


but anyway, my question is why does it repeat the event with the Backup Operators built-in group? I checked 4799 events on my laptop as well, it does not have any BackupOperators events, it just enumerates with Administrators. this could be related to the laptop being Win11 Home, while my pc is Win10 Pro however...

looking at Computer Management, there are also no members listed in the BackupOperators group. I assume it gets added into the events as a part of a "backup" process for the enumerations, but why does it always get listed in Event Viewer if there are no members in it?
 
Sort by date Sort by votes
learn.microsoft.com

4799(S) A security-enabled local group membership was enumerated. - Windows 10

Describes security event 4799(S) A security-enabled local group membership was enumerated.
learn.microsoft.com

Backup operators is a permissions group
The Backup Operators group allows users to back up and restore files regardless of whether they have read or write access to the files. This group has a limited set of user rights, so some functions are not available to members of the Backup Operators group.
Click to expand...
So its likely a system operation.

Why are you looking in event viewer? I asked you last time. Very rarely do I ever find answers in there to problems.
 
Upvote 0 Downvote
no members is normal. System doesn't need any to perform tasks

It probably shows in events as it was performed by the system.

Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer.
This group can't be renamed, deleted, or removed.
By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
Click to expand...

learn.microsoft.com

Active Directory security groups

Learn about Windows Server Active Directory security groups, group scope, and group functions.
learn.microsoft.com

Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.
Backup Operators” group is an historical Windows built in group. Backup operator groups allows users to take the backup and restore files regardless whether they have access to the files or not.
Click to expand...
windowstechno.com

What is Backup Operators - WindowsTechno

What is Backup Operators , Backup Operators , Backup Operators group in Computer Management , The power of backup operators
windowstechno.com

its probably used to let system backup your files even though it didn't make them.
 
Upvote 0 Downvote
Colif said:
learn.microsoft.com

4799(S) A security-enabled local group membership was enumerated. - Windows 10

Describes security event 4799(S) A security-enabled local group membership was enumerated.
learn.microsoft.com

Backup operators is a permissions group

So its likely a system operation.

Why are you looking in event viewer? I asked you last time. Very rarely do I ever find answers in there to problems.
Click to expand...
when I was combing through Event Viewer to find anything that could help me understand what was causing these random Audit Failures with Logon Type 3, I found a bunch of Event 4799's; however, instead of the Process Name being either svchost.exe, VSSVC.exe, or srtasks.exe, the Process Name was dllhost.exe


dllhost is legitimate and all, but I don't know why it called for the "security-enabled local group membership was enumerated" event. Security logs are annoying because they don't go back very far so the only instance of this dllhost enumeration was on the 6th of September, and nothing really matched up in Applications or System


anyway, that's why I was looking. to see if there were more 4799 events caused by dllhost.exe (I did also figure out why the Audit Failures were happening and it's unrelated)
 
Upvote 0 Downvote
not saying it will help but have you looked in
System Information app
once its opened,click + next to Software environment
Then choose Windows Error Reporting and wait (I assume it will take a while since windows hasn't had a new version since last year)
now be careful clicking on headers as the dating system is stupid. It sorts alphanumerically, so the order of the dates makes no sense. I have 1st of May followed by 1st of June - I have pointed this out to MIcrosoft but I don't expect changes
two types of errors:
application errors
windows error reporting

if its going to show you anything its likely in the WER area


windows logs should include everything back to when you last installed a version update but mine seem to start in February. I had to fix windows so that is probably why.
 
Upvote 0 Downvote
Colif said:
not saying it will help but have you looked in
System Information app
once its opened,click + next to Software environment
Then choose Windows Error Reporting and wait (I assume it will take a while since windows hasn't had a new version since last year)
now be careful clicking on headers as the dating system is stupid. It sorts alphanumerically, so the order of the dates makes no sense. I have 1st of May followed by 1st of June - I have pointed this out to MIcrosoft but I don't expect changes
two types of errors:
application errors
windows error reporting

if its going to show you anything its likely in the WER area


windows logs should include everything back to when you last installed a version update but mine seem to start in February. I had to fix windows so that is probably why.
Click to expand...
I actually didn't know option existed but yeah, there's nothing really pertaining to anything in there. dates are in perfect order for me, although I think the times are completely wrong (stuff is logged throughout at times like 5am and 2am when I know I wasn't awake or active at the time, happens even when I first had my PC)


anyway, the only events in SystemInformation on the 9th are apphangs/crashes which was probably due to Sysinternals RamMap since it "hangs" and "crashes" whenever I open or close it

I say the 9th because that's what I originally meant, not the 6th
 
Upvote 0 Downvote
rammap shouldn't crash

RAMMap uses internal API to query the memory data. Such API change in new Windows 10 versions. And it looks like Microsoft made some changes in the last RS4 preview Builds that cause the tool to fail.
Click to expand...
superuser.com

rammap issues - does not show up anything (win10 pro build 17120)

I'm having some issues with the windows rammap tool. It used to work fine but by going to recent builds 17115/17120 it stopped working - when i start it up it does not show up anything. Refreshing it
superuser.com superuser.com
try updating ramMap?
 
Upvote 0 Downvote
Colif said:
rammap shouldn't crash


superuser.com

rammap issues - does not show up anything (win10 pro build 17120)

I'm having some issues with the windows rammap tool. It used to work fine but by going to recent builds 17115/17120 it stopped working - when i start it up it does not show up anything. Refreshing it
superuser.com superuser.com
try updating ramMap?
Click to expand...
no it doesn't crash, that's way I put it in quotations


basically what happens is that when I open it, it "hangs" for a little bit, and then I do what I need to do, close it, and end the task

it doesn't actually crash but Windows thinks it does
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom