Security Basics mailing list archives

TR : event viewer log How to get more information

From: "Héroux, Christian" <Christian.Heroux () etsmtl ca>
Date: Fri, 4 Apr 2003 12:15:29 -0500

Hello all !
        I hope you can help me ! There are many event log like these one on a user workstation windows XP. Someone 
logged into his station? Right? How can I get more info to troubleshoot? Nobody is allowed in this user station. We 
don`t have much info to find out what wrong. Is it a process, which PC...Do you have any tool that could log  more 
detail.

Christian H.


Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-02
Time:                10:19:02
User:                XXX\ffournXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       ffournXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x1BA8FD3)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_024824
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
 
 
Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-03
Time:                09:40:15
User:                XXX\rmaraXXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       rmaranXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x586DD0)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_026195
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
 
Event Type:       Failure Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           529
Date:                2003-04-04
Time:                02:33:06
User:                NT AUTHORITY\SYSTEM
Computer:         BISMARCK
Description:
Logon Failure:
            Reason:                        Unknown user name or bad password
            User Name:       Administrator
            Domain:                        PERF-1
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NWV1_0
            Workstation Name:        PERF-1
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics

Current thread:

TR : event viewer log How to get more information Héroux, Christian (Apr 07)
- RE: TR : event viewer log How to get more information John Warnas/HintTech B.V. (Apr 08)
- <Possible follow-ups>
- RE: TR : event viewer log How to get more information Maksoudian, Gary (Apr 07)
- RE: TR : event viewer log How to get more information Robinson, Sonja (Apr 07)
- RE: TR : event viewer log How to get more information Trevor Cushen (Apr 07)
  - RE: TR : event viewer log How to get more information dave (Apr 08)
    - RE: TR : event viewer log How to get more information DS (Apr 10)
    - RE: TR : event viewer log How to get more information Rick Darsey (Apr 10)
- Re: TR : event viewer log How to get more information H Carvey (Apr 07)