Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

What determines User definiton in NT Event ID 540

Posted on 2009-05-12
5
Medium Priority
?
524 Views
Last Modified: 2013-12-04

Hello,

I am trying to understand and define what determines the User definition in the following NT Event ID:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      




Note that     "User: NT AUTHORITY\SYSTEM"     I have an isolated cases where the user: is defined as Domain\Username.  
I believe these events are being generated when a particular Service Stops\Starts (there are also associated NT Event ID 538 with these 540's as well) and I have already checked the Service to verify it is running under the SYSTEM account.


Thanks,

500 pts due to urgency.
0
Comment
Question by:Charlie_Melega
  • 2
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 24367471

 
The "User:" definition is this case is indicating that the SYSTEM account is the service running under the OS that servicing the logon request from the computer MAILCR.
This explains the logon process well under the "Bottom Line":
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html
 
Next lets look at logon types. This displays some of the common ones:
http://www.windowsnetworking.com/nt/atips/atips57.shtml

In this case you have a logon type of 3 which indicates a Network Logon. This means this logon was initiated over a network such as someone accessing the computers share.

The EventId of 540 corroborates the event id of 3 as both are indications of Network logons.
http://technet.microsoft.com/en-us/library/cc787567.aspx

See these for further info:
http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22413459.html 
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540 
0
 

Author Comment

by:Charlie_Melega
ID: 24412398
Thanks for the links and they were informative.  I am still reviewing the data in these pages. Is there and explanation for the event in the following screenshot that I have attached?  Notice that the User logon is not NT AUTHORITY\SYSTEM but an actual domain\username.  I know for a fact that this event was caused by the restarting of an application Service. In most cases, the User Logon is NT AUTHORITY\SYSTEM, however, that is not the case here.  This defies all Windows logic and theory.  I cannot replicate or debug why the user login is in the form of domain\username and not  NT AUTHORITY\SYSTEM .   Thank You for any thoughts or details.

0
 

Author Comment

by:Charlie_Melega
ID: 24412422
screenshot attached
userlogin.bmp
0
 
LVL 26

Accepted Solution

by:
Pber earned 2000 total points
ID: 24421116
It is possible since you restarted a service that a remote user using the service was disconnected at that time.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question