|
| View previous topic :: View next topic |
| Author |
Message |
Guest
|
 Posted: Thu Dec 20, 2007 9:21 pm Post subject: Help with delayed logoff entry |
 |
|
I have a Windows XP Pro system with Service Pack 2, connected to a
Samba server (if that makes any difference). Auditing on the Windows
machine is turned on, and the security logs show two accounts with
logoff times long after their login times. This machine is in an
isolated network.
I am the only person with admin rights.
What might cause Windows XP w/SP2 to record a delayed logoff? I
searched for any file creation/modification dates for the date/time of
the logoff entry, but there was no hit.
The first Event ID is 551, followed by 538.
I have reviewed all the audit logs I could find, but on the Windows
system and the samba server, but no correlations anywhere.
Insights are welcome. I don't believe the system was hacked - I
just need to find out why/how Windows reported logoffs long after the
user logged in (one person's entry was about 12 hours after the fact,
and another person's entry, on the same computer, was a few days
later).
Neither person said they had any jobs running, but maybe Windows did
behind the scenes...???
Thanks.
Scott |
|
| Back to top |
|
 |
Google
Sponsor
|
| Posted: Thu Dec 20, 2007 9:21 pm Post subject: Advertisement |
|
|
|
|
| Back to top |
|
|
Vinson
Guest
|
| Posted: Fri Dec 21, 2007 4:50 am Post subject: RE: Help with delayed logoff entry |
|
|
You might have a service running with alternate credentials. Which user is
triggering the event, and what is the login type?
Event ID 538
User Logoff:
User Name: Guest
Domain: MAGIC
Logon ID: (0x0,0x1EC7356E)
Logon Type: 3
Here are various login types:
2 is interactive
3 is network
4 is batch
5 is a service
7 is an unlock (of the screen saver)
There are more types, but you get the idea.
Vinson
"scott@mit.edu" wrote:
| Quote: | I have a Windows XP Pro system with Service Pack 2, connected to a
Samba server (if that makes any difference). Auditing on the Windows
machine is turned on, and the security logs show two accounts with
logoff times long after their login times. This machine is in an
isolated network.
I am the only person with admin rights.
What might cause Windows XP w/SP2 to record a delayed logoff? I
searched for any file creation/modification dates for the date/time of
the logoff entry, but there was no hit.
The first Event ID is 551, followed by 538.
I have reviewed all the audit logs I could find, but on the Windows
system and the samba server, but no correlations anywhere.
Insights are welcome. I don't believe the system was hacked - I
just need to find out why/how Windows reported logoffs long after the
user logged in (one person's entry was about 12 hours after the fact,
and another person's entry, on the same computer, was a few days
later).
Neither person said they had any jobs running, but maybe Windows did
behind the scenes...???
Thanks.
Scott
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
