08-25-2024 04:28 PM
We have an alert on 2 different device that LSASS is creating a cache1.bin on app data.
All are created by NT\SYSTEM
Location detected
C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin
C:\Windows\ServiceProfiles\UIFlowService\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrvX64\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pinetmgr\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrv\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pimsgss\AppData\Local\Microsoft\Windows\SFAP\cache1.bin\SFAP\cache1.bin
I tried to search for same issue and found one on Microsoft but not answered.
https://learn.microsoft.com/en-us/answers/questions/1336646/what-is-the-cache1-bin-on-windows-11
Have anyone experience this?
What course of action taken?
08-26-2024 01:56 AM - edited 08-26-2024 01:58 AM
We have seen a few of these alerts ourselves but no idea why.
As an additional piece of information, this event coincides with an event logged in the system log of affected hosts as per below:
NETLOGON Event ID 5823
The system successfully changed its password on the domain controller \\Domaincontroller. This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
