Hello,
I am investigating a case where the system is a domain controller on a 2003 system. I will see entrie.s in the security event log made by a user where they will log onto the network (event id 540), then while other events are occurring 673 and 672 there will be another security event log entry where the event id is 540 (again) and in the same second event id 538 (indicating a network logoff). Then this is followed up by the log off from the first 540 event id logon that I first mentioned. I can track the sessions from the event ID's.
For example
130101 event id 540 (network logon) ID 0x00a7
130101 event id 673 ID 0x00a7
130101 event id 672 ID 0x00a7
.
.
132002 event id 540 (network logon) ID 0x0EBC
132002 event id 538 (network logoff) ID 0x0EBC
.
.
.
133905 event id 538 (network logoff) ID 0x00a7
I understand what each event ID's mean, but I am not sure why there would be two (below) in the middle of a current session. Is this due to accessing a file on a share?
132002 event id 540 (network logon) ID 0x0EBC
132002 event id 538 (network logoff) ID 0x0EBC
Thanks
Event 540 is not just recorded when a user logs on to the network, 540 gets logged when a user on the network connects to any resource (e.g. shared folder) provided by the Server Service. Ditto for 538. Remember that 538 is not always logged, it can sometimes show up as a 551 or may not be logged at all. The somewhat random nature of 538 logging is caused by the way the Server Service terminates idle connections.
BitHead,
Thanks for your information. I really appreciate it. I have associated with the 540 logon and 538 logoff is a eventid 576 (Special Priviledges assinged to new logon) with a User Name of the hostcomputer$, which is the DC and the system where I am trying to identify access to a certain file. Does the event ID 567 and short 540/538 (w/in the same second) sandwhiched between the longer 540 and 538 times indicate access to a file?
thanks
576, which may or may not be logged, is really just an entry that some privileges were assigned to a logon. You may also see 577 or 578 which are similar to 576 in that they are a log of privileges, but 577 and 578 happen closer to the actual event rather than close to the logon.
These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred.
Bithead,
Again thanks for your information. I am correct in saying that on a windows 2003 system in order for a user to have a 540 event (requesting resources) that an event 680 has had to occur first, at some point.
So basically if someone RDP's to the DC and access a file on a share on that machine there will be the 680 account logon event on the DC, then also the 540 event to access the file?
OR
If the end user logs on the the domain in the morning (900 am) generating a 680 event on the DC, then throughout the day access files on the DC, or RDP's the DC each of these will generate a 540/538? But the RDP say in the afternoon from client to DC will not generate a Account logon 680, but just a 540 b/c the end system already authenticated with the domain in the morning.
Thanks,
One correction on the previous post, since kerberos is used, replace the 680 events with 672.
Does anyone know if the default IIS IUSR account would ever need to authenticate with a domain controller, issuing an event ID of 672/673? I have an event where the SID making the 672 request is s-1-5-18. This is then followed up by an event 552 where the usernam is Network Service requested by the SID s-1-5-20.
Thanks,
One correction on the previous post, since kerberos is used, replace the 680 events with 672.
680 is when DC successfully authenticates a user via NTLM.
672 is the initial logon and is logged when the DC grants the Ticket Granting Ticket (TGT).
673 is logged when service tickets are obtained by a user or computer accessing a server on the network.
There's a lot of information out there if you're willing to look for it…
http//
http//