Solved

Logon/Logoff NT Event ID's

Posted on 2009-04-15
3
542 Views
Last Modified: 2013-12-28
I have an application that generates NT Events (Security)  whenever the Service for that application is STOP\STARTED.  The Event are ID numbers 538,  540 and 576. These Events are all related to the Logon/Logoff Category.  Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ".  In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".  
I have verified that the Service in question is running under the SYSTEM account.

The question is, what conditions would cause the  "User:"  filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?

Thanks for any assistance, 500 points due to urgency.


Charlie
0
Comment
Question by:Charlie_Melega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
ComputerTechie earned 500 total points
ID: 24149931
The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
CT
 
0
 

Author Comment

by:Charlie_Melega
ID: 24151019

Thanks for this KB. It can be helpful but what I am really trying to determine is why this NT Event is indicating the locally logged on User as opposed to the SYSTEM context.  The application in question is an on-box Monitoring tool. The agent\service when restarted generated these NT Events with locally logged in username in the Event despite the fact the Agent Service is running under SYSTEM context.  The KB can tell me how to suppress these Event but no why the User name is included in the NT Event and not SYSTEM ("NT AUTHORITY\SYSTEM ).
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24152060
Have you tried changing the user account group to Interactive group
CT
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question