Solved

Logon/Logoff NT Event ID's

Posted on 2009-04-15
3
545 Views
Last Modified: 2013-12-28
I have an application that generates NT Events (Security)  whenever the Service for that application is STOP\STARTED.  The Event are ID numbers 538,  540 and 576. These Events are all related to the Logon/Logoff Category.  Under normal conditions, these NT Event ID's show the "User:" field as "NT AUTHORITY\SYSTEM ".  In a particular case, the "User:" field is showing the actual locally logged on User and not "NT AUTHORITY\SYSTEM ".  
I have verified that the Service in question is running under the SYSTEM account.

The question is, what conditions would cause the  "User:"  filed in an NT Logon/Logoff Security Event to show as the locally logged in User event though the Service is running under the SYSTEM context?

Thanks for any assistance, 500 points due to urgency.


Charlie
0
Comment
Question by:Charlie_Melega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
ComputerTechie earned 500 total points
ID: 24149931
The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
CT
 
0
 

Author Comment

by:Charlie_Melega
ID: 24151019

Thanks for this KB. It can be helpful but what I am really trying to determine is why this NT Event is indicating the locally logged on User as opposed to the SYSTEM context.  The application in question is an on-box Monitoring tool. The agent\service when restarted generated these NT Events with locally logged in username in the Event despite the fact the Agent Service is running under SYSTEM context.  The KB can tell me how to suppress these Event but no why the User name is included in the NT Event and not SYSTEM ("NT AUTHORITY\SYSTEM ).
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24152060
Have you tried changing the user account group to Interactive group
CT
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question