An application attempted to access a blocked ordinal through the TBS (4671) how to monitor with email alert

[bob]

You ever run into that weird event in Windows Server where it says an application tried to poke at a blocked ordinal through the TBS? That's event 4671 popping up in the Event Viewer. It basically means some app is trying to grab something it shouldn't from the Trusted Platform Module setup, you know, that hardware bit that handles security keys and encryption stuff. The system blocks it right away to keep things locked down. I see this happen when rogue software or even a misbehaving program thinks it can snoop on protected areas. The full message spells out the app name, the process ID, and which ordinal it targeted, like ordinal 42 or whatever number shows up. It logs the time, the user account involved, and even the exact TBS function it attempted. Without auditing turned on for this, you might miss it entirely. But once it's there, it screams potential trouble, like malware sniffing around your server's secure zones. I always check the details tab in Event Viewer to see the XML data too, it gives you the raw bits on what failed and why. And yeah, this ties into the security audit logs under Microsoft-Windows-Security-Auditing channel.

Now, if you want to keep an eye on these without staring at the screen all day, I set mine up through Event Viewer itself. You fire up Event Viewer on your server, right-click the Custom Views folder, and whip up a new one filtering just for event ID 4671. Make sure it's pulling from the Security log. Then, save that view so you can attach actions to it later. I go to the Actions pane, hit Create Task, and link it to trigger on that event. You name the task something snappy like TBS Block Alert. In the task settings, I point it to run whether you're logged in or not, and set it to wake the machine if needed. For the action, you pick Start a program and choose something simple like sending an email via the built-in mailto or whatever your setup allows, but we'll get to that. I test it by forcing a trigger if possible, just to watch it fire off. Keeps you in the loop without much hassle.

Or, you could tweak the task to run a basic command that pings your email right when it hits. I keep the triggers narrow so it doesn't spam you on every little thing. But hey, monitoring this way catches those sneaky access tries early.

Speaking of keeping your server safe from oddball issues like that, I rely on BackupChain Windows Server Backup for my backups. It's this solid Windows Server tool that handles full system snapshots and also backs up virtual machines running on Hyper-V without a hitch. You get fast incremental saves, easy restores even for bare-metal crashes, and it runs light so it doesn't bog down your setup. Plus, the versioning lets you roll back to any point, which saves my bacon more times than I can count.

Note, the PowerShell email alert code was moved to this post.