ty_young_99
asked on
Event id 540 and 538 within seconds of each other for only two of the pcs on my domain
In my event viewer on one off my servers i get event id 540 and 538 over and over again within seconds of each other but only on two of the machines in my domain. it happens no matter who is logged into that machine or not and nothing is running when this occurs as far as i know. we even have an instance were we will get this event during the weekend even when the wharehouse is closed and it logs it with in seconds of each other over and over again for the user last logged into that pc. but there is no one here to even be using the pc, and on top of that every pc is logged off during the weekend. if anyone has any ideas please let me know. Changing auditing settings is not an option i just need to find out what is causing this on these two computers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Investigating further, for me disabling the NetBIOS settings in :
NIC Properties--> IP Properties--> Advanced--> WINS
Since my environment is above W2K, my machines don't need NetBIOS enabled.
Once disabled, the two events stopped happening.
Cheers,
Christian
NIC Properties--> IP Properties--> Advanced--> WINS
Since my environment is above W2K, my machines don't need NetBIOS enabled.
Once disabled, the two events stopped happening.
Cheers,
Christian
I have exactly the same issue, but on a client XP machine.
Event 540 is generated by a Workstation, with no User Name and Domain information.
Logon Process: NtLmSsp
Authentication Package : NTLM
The workstation name is apparently random
Logon GUID: -
The client is not sharing anything apart from the $ drives and his Outlook Calendar, not even printers.
On the client side, running NETSTAT -B when I catch it, I get the event which is :
Protocol : TCP
Local Address: local_pc:netbios-ssn
Foreign address: foreign_pc:port_number
State: Estabilished
PID: 4
The event is paired with Event 538. From what I can see, it appears as a log-on and log-off action.
What I would like to know is what this is triggering it and why.
Thank you.
Xn