The underlying architecture of the SAS Environment Manager agent calls an API that leads to the querying of user group data in a Windows environment, which generates Event ID: 4799 entries. This issue occurs when a SAS server running the SAS Environment Manager agent has enhanced Windows security logging enabled (which is not enabled by default on Windows). As a result, Event ID: 4799 entries flood the Windows security log.

This querying process can cause numerous logging activity in the Windows security logs. Some of the symptoms might include the following:

• The Windows security logs on the SAS server and/or domain controller fill up.
• Numerous Event ID: 4799 entries occur in the Windows event viewer logs from the “Source: Microsoft-Windows-Security-Auditing” associated with the SAS Private JRE process name: C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe.

Workaround

To work around this issue, change the Startup Type for the SAS Environment Manager server and the SAS Environment Manager agent services to manual or disabled in the Windows services console. Then, stop both services.



With this workaround, these SAS services will not be running at all. Doing this will not affect the functionality of SAS® 9.4. However, you will not be able to use the SAS Environment Manager monitoring and administration capabilities.