RE: Help with delayed logoff entry
- From: Vinson <Vinson@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 20 Dec 2007 20:50:01 -0800
You might have a service running with alternate credentials. Which user is
triggering the event, and what is the login type?
Event ID 538
User Logoff:
User Name: Guest
Domain: MAGIC
Logon ID: (0x0,0x1EC7356E)
Logon Type: 3
Here are various login types:
2 is interactive
3 is network
4 is batch
5 is a service
7 is an unlock (of the screen saver)
There are more types, but you get the idea.
Vinson
"scott@xxxxxxx" wrote:
I have a Windows XP Pro system with Service Pack 2, connected to a.
Samba server (if that makes any difference). Auditing on the Windows
machine is turned on, and the security logs show two accounts with
logoff times long after their login times. This machine is in an
isolated network.
I am the only person with admin rights.
What might cause Windows XP w/SP2 to record a delayed logoff? I
searched for any file creation/modification dates for the date/time of
the logoff entry, but there was no hit.
The first Event ID is 551, followed by 538.
I have reviewed all the audit logs I could find, but on the Windows
system and the samba server, but no correlations anywhere.
Insights are welcome. I don't believe the system was hacked - I
just need to find out why/how Windows reported logoffs long after the
user logged in (one person's entry was about 12 hours after the fact,
and another person's entry, on the same computer, was a few days
later).
Neither person said they had any jobs running, but maybe Windows did
behind the scenes...???
Thanks.
Scott
- References:
- Help with delayed logoff entry
- From: scott
- Help with delayed logoff entry
- Prev by Date: Re: Update Problem
- Next by Date: Re: Update Problem
- Previous by thread: Help with delayed logoff entry
- Next by thread: Windows Defender - need basic information .................ts
- Index(es):
Relevant Pages
|
