Re: [Full-Disclosure] Windows 2000 Logout events are not monitored!

From: Bill Royds (
Date: 11/11/03

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"
    To: <>
    Date: Mon, 10 Nov 2003 19:44:21 -0500

    The logout even is event number 540 in security log. All the Win2K I manage
    have these entries for every logout. Check your security policy to ensure
    that you are recording them.
    There are in Local Security Policy MMS under Local Policies/Audit
    Events/{Audit account logon events,Audit logon events}. YOu want both
    success and failure to caputre a successful logoff.

    ----- Original Message -----
    From: "Darren Bennett" <>
    To: "Full Disclosure" <>
    Sent: Monday, November 10, 2003 12:42 PM
    Subject: [Full-Disclosure] Windows 2000 Logout events are not monitored!

    : It's possible this has been on the list before but I'm going to check
    : anyway. With windows 2000 (server is the platform I have tested), when
    : auditing of login/logout events is enabled, only login events are
    : recorded. This appears to be a bug with Windows. I have tried applying a
    : patch from Microsoft that is supposed to fix this and the patch didn't
    : work. Anyone else seen this behavior? Any suggestions on how I could
    : record logout events without relying on MS?
    : -Thanks,
    : Darren
    : -----------------------------------------------
    : Darren Bennett - CISSP
    : Sr. Systems Administrator/Manager
    : Science Applications International Corporation
    : Advanced Systems Development and Integration
    : -----------------------------------------------
    : _______________________________________________
    : Full-Disclosure - We believe in it.
    : Charter:

    Full-Disclosure - We believe in it.

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"

    Relevant Pages

    • Re: Help (Stuck at Logout)
      ... apparently the iMac is stuck at logout: ... appeared, along with the spinning gear icon, but it hasn't progressed ... about a million windows opened up (seems like ... Shit happens. ...
    • Re: windows form in service
      ... i am creating a windows service. ... when i logout the windows form get closed. ... I know there is a namespace System something that allows a Windows Desktop solution to check for logout on the desktop, and it will raise an event in the running .Net solution. ...
    • Re: logon logout remote destop to server
      ... windows 2003 and sp1 ... when logging on remotly.. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... logout ...
    • Re: Benefits - Background process as NT service
      ... One thing is that you logout and login as a new user all processes are shut ... exception services because services run independent from a logged in ... > as an NT Service in windows. ...
    • problem with Win32/service
      ... I have a Ruby On Rails application (Mongrel web server), which I have compiled to windows XP service. ... Everything works fine, but when I logout from Windows, the service is shut down. ...