• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

What determines User definiton in NT Event ID 540


Hello,

I am trying to understand and define what determines the User definition in the following NT Event ID:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      




Note that     "User: NT AUTHORITY\SYSTEM"     I have an isolated cases where the user: is defined as Domain\Username.  
I believe these events are being generated when a particular Service Stops\Starts (there are also associated NT Event ID 538 with these 540's as well) and I have already checked the Service to verify it is running under the SYSTEM account.


Thanks,

500 pts due to urgency.
0
Charlie_Melega
Asked:
Charlie_Melega
  • 2
  • 2
1 Solution
 
PberSolutions ArchitectCommented:

 
The "User:" definition is this case is indicating that the SYSTEM account is the service running under the OS that servicing the logon request from the computer MAILCR.
This explains the logon process well under the "Bottom Line":
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html
 
Next lets look at logon types. This displays some of the common ones:
http://www.windowsnetworking.com/nt/atips/atips57.shtml

In this case you have a logon type of 3 which indicates a Network Logon. This means this logon was initiated over a network such as someone accessing the computers share.

The EventId of 540 corroborates the event id of 3 as both are indications of Network logons.
http://technet.microsoft.com/en-us/library/cc787567.aspx

See these for further info:
http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22413459.html 
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540 
0
 
Charlie_MelegaAuthor Commented:
Thanks for the links and they were informative.  I am still reviewing the data in these pages. Is there and explanation for the event in the following screenshot that I have attached?  Notice that the User logon is not NT AUTHORITY\SYSTEM but an actual domain\username.  I know for a fact that this event was caused by the restarting of an application Service. In most cases, the User Logon is NT AUTHORITY\SYSTEM, however, that is not the case here.  This defies all Windows logic and theory.  I cannot replicate or debug why the user login is in the form of domain\username and not  NT AUTHORITY\SYSTEM .   Thank You for any thoughts or details.

0
 
Charlie_MelegaAuthor Commented:
screenshot attached
userlogin.bmp
0
 
PberSolutions ArchitectCommented:
It is possible since you restarted a service that a remote user using the service was disconnected at that time.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now