Solved

Logon/Logoff NT Event ID's

Posted on 2009-04-15
3
532 Views
Last Modified: 2013-12-28
I have an application that generates NT Events (Security)  whenever the Service for that application is STOP\STARTED.  The Event are ID numbers 538,  540 and 576. These Events are all related to the Logon/Logoff Category.  Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ".  In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".  
I have verified that the Service in question is running under the SYSTEM account.

The question is, what conditions would cause the  "User:"  filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?

Thanks for any assistance, 500 points due to urgency.


Charlie
0
Comment
Question by:Charlie_Melega
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
ComputerTechie earned 500 total points
ID: 24149931
The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
CT
 
0
 

Author Comment

by:Charlie_Melega
ID: 24151019

Thanks for this KB. It can be helpful but what I am really trying to determine is why this NT Event is indicating the locally logged on User as opposed to the SYSTEM context.  The application in question is an on-box Monitoring tool. The agent\service when restarted generated these NT Events with locally logged in username in the Event despite the fact the Agent Service is running under SYSTEM context.  The KB can tell me how to suppress these Event but no why the User name is included in the NT Event and not SYSTEM ("NT AUTHORITY\SYSTEM ).
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24152060
Have you tried changing the user account group to Interactive group
CT
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cloning computer 13 66
PCI Compliance Free scan 2 78
PCI Compliance with TLS 1.0 - all systems required 21 73
Win 7 PCs cant connect to RDS server , but Win 10 can 21 62
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now