Windows Security - Event ID 538

Discuss Windows Event Log events. What they mean, what they tell you about your machine's security ... and whatever questions else you have.

Moderator: alorbach

Google Ads


Windows Security - Event ID 538

Postby mo80 » Mon Jan 30, 2006 12:39 am

Can any windows experts out there please enlighten me what's going on here and should I be worried?

Event Log has been filling up with the following message:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 28/01/2006
Time: 00:07:54
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: LONDON
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x43A8F0)
Logon Type: 3

I am using W2K PRO. there's only me that uses the pc. In Audit policy I set:

Audit account logon events Success, failure
Audit logon events Success, failure
mo80
New
 
Posts: 3
Joined: Tue Jan 24, 2006 1:41 pm

Postby .kg. » Mon May 22, 2006 11:56 am

This event indicates a user logged off. The corresponding logon event (528) can be found by comparing the <logon id> field.
A logon id (logon identifier or LUID) identifies a logon session. A logon ID is valid until the user logs off. A logon ID is unique while the computer is running; no other logon session will have the same logon ID. However, the set of possible logon IDs is reset when the computer starts up.

A logon id has the following format (0x0, 0x4C37A2) and it is unique for each logon/logoff process.

Events that generate a logoff and their corresponding logon type:
- Interactive logoff will generate logon type 2
- Network logoff will generate logon type 3
- Net use disconnection will generate logon type 3
- Autodisconnect will generate logon type 3

For a list of logon types see the link to the "Windows Logon Types" article.

In many cases, the user listed for this event will be "ANONYMOUS LOGON" from "NT AUTHORITY" domain. This logon is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials.
If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article M122702 for more information.)
One typical example is a computer that register itself with the Master Browser for that network segment at startup. This registration will generate several logon/logoffs from "ANONYMOUS USER". Since the registration is renewed by default every 12 minutes, such events will occur at regular intervals.

for more information, you can refer to:

http://_/display.asp?even ... ty&phase=1

Hope this helps.
KG
.kg.
New
 
Posts: 3
Joined: Mon May 22, 2006 11:16 am

Google Ads



Return to Windows Events

Who is online

Users browsing this forum: No registered users and 1 guest

cron