[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Event viewer showing continuous 538,540,576,680 events in security for one user on 2003 server

Posted on 2012-09-11
6
Medium Priority
?
315 Views
Last Modified: 2014-02-01
I have a 2003  server that shows "continuous" login/logout events for one user.  The user has a one mapped drive to this server and all is working fine.  However, the event viewer is filling up with these.

example:
538      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
540      DELLTS110\Jennifer      DELLTS110
576      DELLTS110\Jennifer      DELLTS110
680      DELLTS110\Jennifer      DELLTS110
540      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
538      DELLTS110\Jennifer      DELLTS110
540      DELLTS110\Jennifer      DELLTS110
576      DELLTS110\Jennifer      DELLTS110
680      DELLTS110\Jennifer      DELLTS110
538      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
540      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
538      DELLTS110\Jennifer      DELLTS110
538      DELLTS110\Jennifer      DELLTS110
540      DELLTS110\Jennifer      DELLTS110
576      DELLTS110\Jennifer      DELLTS110
680      DELLTS110\Jennifer      DELLTS110
538      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
540      NT AUTHORITY\ANONYMOUS LOGON      DELLTS110
538      DELLTS110\Jennifer      DELLTS110
540      DELLTS110\Jennifer      DELLTS110
576      DELLTS110\Jennifer      DELLTS110
680      DELLTS110\Jennifer      DELLTS110

This user has mapped drives to another server and it does not exhibit this behavior.
I saw another post that stated an HP driver could cause this.  There are no HP drivers on the PC.

PC is XP and the server is 2003 Enterprise.

Thanks.
0
Comment
Question by:HouseofFara
  • 3
  • 3
6 Comments
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38390676
If you are running SQL, try changing the polling interval: http://msdn.microsoft.com/en-us/library/aa198198
0
 

Author Comment

by:HouseofFara
ID: 38390805
Thank you for the reply, but no SQL.

We have about 20 PC's on the network, 10 of them mapping a drive letter to this server and share.   Only one PC is exhibiting the problem of the continous security log entries.

The share works and  I see no other isssues with either the PC or the server.  I have ran several malware checks and find nothing.

The only thing that has changed recently that I can think of is that we did a scheduled password change on all users.  However, the share is accessible on the suspect PC so the new password is registering properly.

Thanks.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38390921
I would suggest trying a different user login on that PC and/or try logging in as Jennifer from a different PC to see if the issue is user specific or machine related.
If its machine related, I'd try the AVG Rescue CD which can detect things that are deeply hidden: http://www.avg.com/us-en/avg-rescue-cd
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Accepted Solution

by:
HouseofFara earned 0 total points
ID: 38396482
Found the issue.   A program for down loading images from a camera had an internal setting for the storage of photos which pointed to the mapped server drive.  This program was memory resident on startup.   For some reason, after the password change, this program was causing the issue.   Removed it and problem went away.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38396954
Well!  That'll certainly do it, huh?
0
 

Author Closing Comment

by:HouseofFara
ID: 39826049
Reason found
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question