Solved

What determines User definiton in NT Event ID 540

Posted on 2009-05-12
5
508 Views
Last Modified: 2013-12-04

Hello,

I am trying to understand and define what determines the User definition in the following NT Event ID:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            11/5/2003
Time:            5:03:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MAILCR
Description:
Successful Network Logon:
       User Name:      MAILCR$
       Domain:            NDS_NET
       Logon ID:            (0x0,0x4CBC65)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      




Note that     "User: NT AUTHORITY\SYSTEM"     I have an isolated cases where the user: is defined as Domain\Username.  
I believe these events are being generated when a particular Service Stops\Starts (there are also associated NT Event ID 538 with these 540's as well) and I have already checked the Service to verify it is running under the SYSTEM account.


Thanks,

500 pts due to urgency.
0
Comment
Question by:Charlie_Melega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 24367471

 
The "User:" definition is this case is indicating that the SYSTEM account is the service running under the OS that servicing the logon request from the computer MAILCR.
This explains the logon process well under the "Bottom Line":
http://www.mail-archive.com/activedir@mail.activedir.org/msg08710.html
 
Next lets look at logon types. This displays some of the common ones:
http://www.windowsnetworking.com/nt/atips/atips57.shtml

In this case you have a logon type of 3 which indicates a Network Logon. This means this logon was initiated over a network such as someone accessing the computers share.

The EventId of 540 corroborates the event id of 3 as both are indications of Network logons.
http://technet.microsoft.com/en-us/library/cc787567.aspx

See these for further info:
http://www.experts-exchange.com/Networking/Network_Management/Auditing_Software/Q_22413459.html 
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=540 
0
 

Author Comment

by:Charlie_Melega
ID: 24412398
Thanks for the links and they were informative.  I am still reviewing the data in these pages. Is there and explanation for the event in the following screenshot that I have attached?  Notice that the User logon is not NT AUTHORITY\SYSTEM but an actual domain\username.  I know for a fact that this event was caused by the restarting of an application Service. In most cases, the User Logon is NT AUTHORITY\SYSTEM, however, that is not the case here.  This defies all Windows logic and theory.  I cannot replicate or debug why the user login is in the form of domain\username and not  NT AUTHORITY\SYSTEM .   Thank You for any thoughts or details.

0
 

Author Comment

by:Charlie_Melega
ID: 24412422
screenshot attached
userlogin.bmp
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 24421116
It is possible since you restarted a service that a remote user using the service was disconnected at that time.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question