I have an application that generates NT Events (Security) whenever the Service for that application is STOP\STARTED. The Event are ID numbers 538, 540 and 576. These Events are all related to the Logon/Logoff Category. Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ". In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".
I have verified that the Service in question is running under the SYSTEM account.
The question is, what conditions would cause the "User:" filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?
Thanks for any assistance, 500 points due to urgency.