Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

Logon/Logoff NT Event ID's

I have an application that generates NT Events (Security)  whenever the Service for that application is STOP\STARTED.  The Event are ID numbers 538,  540 and 576. These Events are all related to the Logon/Logoff Category.  Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ".  In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".  
I have verified that the Service in question is running under the SYSTEM account.

The question is, what conditions would cause the  "User:"  filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?

Thanks for any assistance, 500 points due to urgency.


Charlie
0
Charlie_Melega
Asked:
Charlie_Melega
  • 2
1 Solution
 
ComputerTechieCommented:
The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
CT
 
0
 
Charlie_MelegaAuthor Commented:

Thanks for this KB. It can be helpful but what I am really trying to determine is why this NT Event is indicating the locally logged on User as opposed to the SYSTEM context.  The application in question is an on-box Monitoring tool. The agent\service when restarted generated these NT Events with locally logged in username in the Event despite the fact the Agent Service is running under SYSTEM context.  The KB can tell me how to suppress these Event but no why the User name is included in the NT Event and not SYSTEM ("NT AUTHORITY\SYSTEM ).
0
 
ComputerTechieCommented:
Have you tried changing the user account group to Interactive group
CT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now