RE: Understaing Event Details in Windows NT

From: Peter Snell (PSnell@daymon.com)
Date: 01/13/03

  • Next message: Keith Smith: "RE: AD replication over WAN" 
    From: Peter Snell <PSnell@daymon.com>
To: John Smith <for3nsics@yahoo.com.au>, focus-ms@securityfocus.com
Date: Mon, 13 Jan 2003 10:19:31 -0500

    www.eventid.net is a good resource for researching events if you have an
    Event ID from the viewer.

    LoginID is probably referencing the SID,

    Logon Type 3 is a network logon,

    Logon Process KSecDD is the Kerberos Security Device Driver.

    You can build a list that maps the SID's to usernames like this:

    1.Dump the user list to a text file with the NET USERS command or with
    Addusers.exe.
    2.Modify this text file to remove unwanted information (headers, and so
    forth).
    3.Modify the resulting list of user names into a batch file, using the
    GETSID resource kit utility to translate each user name into a SID. Redirect
    the output to a text file.
    4.When you encounter a SID, search the text file (created previously) for
    that SID. This will place you on the line with the user's name.

    Hope this helps,

    Pete

    -----Original Message-----
    From: John Smith [mailto:for3nsics@yahoo.com.au]
    Sent: Sunday, January 12, 2003 11:11 PM
    To: focus-ms@securityfocus.com
    Subject: Understaing Event Details in Windows NT

    Hi all,

    I'm curious to know what the contents of the event
    details mean in MS event Viewer.

    i.e. How do you deterime from a successful Logon that
    the user only viewed event logs remotely and didn't
    mount a share ?

    Some other quesiton:
    What does "LoginID: (0x0,0xDFA0E5)" mean ?

    What does "Logon Type: 3" mean ?

    What does "Logon Process: KSecDD" mean ?

    Thanks in advance.

    http://greetings.yahoo.com.au - Yahoo! Greetings
    - Send your seasons greetings online this year!

    Relevant Pages

    • Re: User gets married, changes name & wants log-in changed
      ... home drive mapping on next logon and this might be perceived as a failure on ... knows you by your sid ... Doug Starkey ... Pecan Deluxe Candy Company ...
      (microsoft.public.windows.server.active_directory)
    • Re: Laptop users changing domains, mismatch DACLS
      ... change domains sometimes... ... Windows will however allow a user to LOGON to a machine ... Perhaps this ability to authenticate is all the users really ... files because the same SID is not in the DACL of the filesystem folders. ...
      (microsoft.public.windows.server.active_directory)
    • I want to logon interactively....
      ... I'm the network administrator, ... and I can logon fine, but I want to logon as the user who uses that PC, and ... Is the users SID I'm needing to delete ... are not user accounts. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Question about SID
      ... Note that if you enumerate processes based on the user sid then you will get ... all process for that user even from other logon sessions (if for some reason ... You can enumerate the processes based on the logon sid to ...
      (microsoft.public.platformsdk.security)
    • RE: Understaing Event Details in Windows NT
      ... LoginID is a unique hex value assigned to each logon session. ... cross-refrence the LoginID from a Successful Logon event with the same ... Randy Franklin Smith wrote a great series of articles for Windows & .NET ...
      (Focus-Microsoft)