RE: Auditing a reboot
From: Hillensbeck, Preston (PHillensbeck@sfbcic.com)
Date: 04/21/03
- Previous message: Brad Judy: "RE: Auditing a reboot"
- Maybe in reply to: Hillensbeck, Preston: "Auditing a reboot"
- Next in thread: Brad Judy: "RE: Auditing a reboot"
- Reply: Brad Judy: "RE: Auditing a reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Hillensbeck, Preston" <PHillensbeck@sfbcic.com> To: 'Brad Judy' <judy@colorado.edu>, focus-ms@securityfocus.com Date: Mon, 21 Apr 2003 09:33:45 -0500
I guess I should have been more specific! What I am trying to audit is an
event that says who or what rebooted the machine. I see the normal 6005 and
6009 event messages, but I would really like to know who initiated the
reboot. Is this possible?
-----Original Message-----
From: Brad Judy [mailto:judy@colorado.edu]
Sent: Monday, April 21, 2003 9:30 AM
To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
Subject: RE: Auditing a reboot
There are several items that are logged on startup, some of which may
also be logged at other times. Try the normal first item to be logged -
an event 6009 that states the basic OS version information. See this KB
article for more info -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;196452
Note that this is an event that occurs on startup regardless of how the
machine was shut down. Other events may be logged as discussed in the
article above. If you want something more specific you may have to look
elsewhere.
Brad Judy
Information Technology Services
University of Colorado at Boulder
> -----Original Message-----
> From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
> Sent: Monday, April 21, 2003 7:14 AM
> To: 'focus-ms@securityfocus.com'
> Subject: Auditing a reboot
>
>
> How would you go about auditing when a machine is rebooted,
> domain wise? I have looked high and low for an answer, and I
> can't seem to find one. This is a Windows 2000 question, and
> I am running Active Directory. I have tried auditing system
> events, both successes and failures, but cannot get event
> viewer to spit out the right information. Thanks in advance.
>
>
>
> --------------------------------------------------------------
> ---------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches. Deadline for the best rates is April 25.
> Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
> --------------------------------------------------------------
> ----------------
>
-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------
- Previous message: Brad Judy: "RE: Auditing a reboot"
- Maybe in reply to: Hillensbeck, Preston: "Auditing a reboot"
- Next in thread: Brad Judy: "RE: Auditing a reboot"
- Reply: Brad Judy: "RE: Auditing a reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
