Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Logon/Logoff NT Event ID's

Posted on 2009-04-15
3
Medium Priority
?
553 Views
Last Modified: 2013-12-28
I have an application that generates NT Events (Security)  whenever the Service for that application is STOP\STARTED.  The Event are ID numbers 538,  540 and 576. These Events are all related to the Logon/Logoff Category.  Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ".  In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".  
I have verified that the Service in question is running under the SYSTEM account.

The question is, what conditions would cause the  "User:"  filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?

Thanks for any assistance, 500 points due to urgency.


Charlie
0
Comment
Question by:Charlie_Melega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
ComputerTechie earned 1500 total points
ID: 24149931
The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
CT
 
0
 

Author Comment

by:Charlie_Melega
ID: 24151019

Thanks for this KB. It can be helpful but what I am really trying to determine is why this NT Event is indicating the locally logged on User as opposed to the SYSTEM context.  The application in question is an on-box Monitoring tool. The agent\service when restarted generated these NT Events with locally logged in username in the Event despite the fact the Agent Service is running under SYSTEM context.  The KB can tell me how to suppress these Event but no why the User name is included in the NT Event and not SYSTEM ("NT AUTHORITY\SYSTEM ).
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24152060
Have you tried changing the user account group to Interactive group
CT
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question