Microsoft Teams filling Security Log with seProfileSingleProcessPrivilege

Recently, we started seeing a phenomenon where any machine running Microsoft Teams (office 365 E3 version) will emit event 4673 at a high rate, indicating a failed attempt to use the seProfileSingleProcessPrivilege. Counting one random second's worth of these entries, I saw 120. The volume of these audit failures is causing the security log to fill and overwrite so quickly that no valuable information can be retained.

By policy, we audit both success and failure on privilege use, so turning off audit is not an option. Granting the privilege to all users seems like a poor security practice as well.

I do not see chatter about this issue, so I am wondering if we are alone with this symptom.

I can't explain why Teams would be attempting to grant this privilege to itself.

We can't find any indications of compromise and have installed teams on a fresh laptop and see this symptom.

I would love to hear any ideas on how to convince Teams to stop this behavior.

We opened a case with Microsoft Support. They dug a bit and found that Teams is written on top of Chromium. Chromium is calling QueryWorkingSetEx. It is unclear why this is interesting, but QueryWorkingSetEx requires seProfileSingleProcessPrivilege. It is unclear if QueryWorkingSetEx just fails or if it does something interesting even if it can't enable the privilege. Microsoft is still reviewing at this time.

Update 1/19/2023 - Microsoft closed the case on this with no action. They could update Chromium so that this behavior is mitigated. They chose not to. They adamantly don't care about this issue and their official recommendation was to stop logging the error.

I don't think there is anything you can do on your end, other than temporarily stop auditing privilege use (which IMHO is largely useless anyways since it just creates noise) and possibly increase the log of the security event log.

Since this privilege is used for performance monitoring and you only just recently discovered it, it seems that this was added in a recent Teams update. It sounds like a bug in the software where maybe a developer was profiling something and they forgot to take it out.

Would be interesting to see if older versions of Teams do the same thing, if you have some computers with an older version.