RE: Understaing Event Details in Windows NT

From: Kolde, Jennifer E. (jkolde@nosc.mil)
Date: 01/13/03

  • Next message: Brett Procter: "AD replication" 
    From: "Kolde, Jennifer E." <jkolde@nosc.mil>
To: 'Peter Snell' <PSnell@daymon.com>, John Smith <for3nsics@yahoo.com.au>, focus-ms@securityfocus.com
Date: Mon, 13 Jan 2003 10:00:03 -0800

    LoginID is a unique hex value assigned to each logon session. If you
    cross-refrence the LoginID from a Successful Logon event with the same
    LoginID from a Successful Logoff event, you can determine how long the
    session lasted (i.e., how long the user was logged on to the system).

    Foundstone's free NTLast utility can extract that information for you (works
    better on NT than 2000, but will support both OSes).

    Randy Franklin Smith wrote a great series of articles for Windows & .NET
    Magazine on the Event Viewer in both NT and Windows 2000. There are 5 - 6
    articles in each series and they are a good introduction to making sense of
    the event logs (see below).

    Regards,
    Jennifer

    www.winntmag.com

    Windows 2000 auditing:
            "Auditing Windows 2000" (July 2000, InstantDoc ID#9633)
            "Tracking Logon and Logoff Activity in Win2K (February 2001,
    InstantDoc ID #16430)
            "Auditing Account Logon Events" (March 2001, InstantDoc ID#19677)
            "Mining the Win2K Security Log" (April 2001, InstantDoc ID #20052)
            "Keeping Tabs on Object Access" (June 2001, InstantDoc ID #20563)
            "Win2K Security Log Roundup" (July 2001, InstantDoc ID#21132)

    Windows NT auditing:
            "Introducing the NT Security Log" (March 2000, InstantDoc ID#8056)
            "Interpreting the NT Security Log" (April 2000, InstantDoc ID#8288)
            "Monitoring Privileges and Administrators in the NT Security Log"
    (June 2000, InstantDoc ID#8696)
            "Protecting the NT Security Log" (July 2000, InstantDoc ID#8785)
            "Archiving and Analyzing the NT Security Log" (August 2000,
    InstantDoc ID#9043)

    -----Original Message-----
    From: Peter Snell [mailto:PSnell@daymon.com]
    Sent: Monday, January 13, 2003 7:20 AM
    To: John Smith; focus-ms@securityfocus.com
    Subject: RE: Understaing Event Details in Windows NT

    www.eventid.net is a good resource for researching events if you have an
    Event ID from the viewer.

    LoginID is probably referencing the SID,

    Logon Type 3 is a network logon,

    Logon Process KSecDD is the Kerberos Security Device Driver.

    You can build a list that maps the SID's to usernames like this:

    1.Dump the user list to a text file with the NET USERS command or with
    Addusers.exe.
    2.Modify this text file to remove unwanted information (headers, and so
    forth).
    3.Modify the resulting list of user names into a batch file, using the
    GETSID resource kit utility to translate each user name into a SID. Redirect
    the output to a text file.
    4.When you encounter a SID, search the text file (created previously) for
    that SID. This will place you on the line with the user's name.

    Hope this helps,

    Pete

    -----Original Message-----
    From: John Smith [mailto:for3nsics@yahoo.com.au]
    Sent: Sunday, January 12, 2003 11:11 PM
    To: focus-ms@securityfocus.com
    Subject: Understaing Event Details in Windows NT

    Hi all,

    I'm curious to know what the contents of the event
    details mean in MS event Viewer.

    i.e. How do you deterime from a successful Logon that
    the user only viewed event logs remotely and didn't
    mount a share ?

    Some other quesiton:
    What does "LoginID: (0x0,0xDFA0E5)" mean ?

    What does "Logon Type: 3" mean ?

    What does "Logon Process: KSecDD" mean ?

    Thanks in advance.

    http://greetings.yahoo.com.au - Yahoo! Greetings
    - Send your seasons greetings online this year!

    Relevant Pages