Solved

What determines User definiton in NT Event ID 540

Posted on 2009-05-12
5
506 Views
Last Modified: 2013-12-04

Hello,

I am trying to understand and define what determines the User definition in the following NT Event ID:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      




Note that     "User: NT AUTHORITY\SYSTEM"     I have an isolated cases where the user: is defined as Domain\Username.  
I believe these events are being generated when a particular Service Stops\Starts (there are also associated NT Event ID 538 with these 540's as well) and I have already checked the Service to verify it is running under the SYSTEM account.


Thanks,

500 pts due to urgency.
0
Comment
Question by:Charlie_Melega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 24367471

 
The "User:" definition is this case is indicating that the SYSTEM account is the service running under the OS that servicing the logon request from the computer MAILCR.
This explains the logon process well under the "Bottom Line":
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html
 
Next lets look at logon types. This displays some of the common ones:
http://www.windowsnetworking.com/nt/atips/atips57.shtml

In this case you have a logon type of 3 which indicates a Network Logon. This means this logon was initiated over a network such as someone accessing the computers share.

The EventId of 540 corroborates the event id of 3 as both are indications of Network logons.
http://technet.microsoft.com/en-us/library/cc787567.aspx

See these for further info:
http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22413459.html 
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540 
0
 

Author Comment

by:Charlie_Melega
ID: 24412398
Thanks for the links and they were informative.  I am still reviewing the data in these pages. Is there and explanation for the event in the following screenshot that I have attached?  Notice that the User logon is not NT AUTHORITY\SYSTEM but an actual domain\username.  I know for a fact that this event was caused by the restarting of an application Service. In most cases, the User Logon is NT AUTHORITY\SYSTEM, however, that is not the case here.  This defies all Windows logic and theory.  I cannot replicate or debug why the user login is in the form of domain\username and not  NT AUTHORITY\SYSTEM .   Thank You for any thoughts or details.

0
 

Author Comment

by:Charlie_Melega
ID: 24412422
screenshot attached
userlogin.bmp
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 24421116
It is possible since you restarted a service that a remote user using the service was disconnected at that time.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question