Re: Security Event Logging and remote WMI connection question

alexbalaev_at_yahoo.com
Date: 01/24/05 

Date: 24 Jan 2005 12:16:38 -0800

Hello,
Let me re-phrase the question.
Does any one know on what WMI call these entries are added to remote
box security log?

EventID: 538
User Logoff:
User Name:NAME
Domain:DOMAIN
Logon ID: (0x0,0x2FC0A)
Logon Type: 3

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

EventID: 540
Successful Network Logon:
User Name: name
Domain: domain
Logon ID: (0x0,0x1B4755)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: boxname
Logon GUID:{00000000-0000-0000-0000-000000000000}

TIA, Alex.

alexbalaev@yahoo.com wrote:
> Hi there,
> So really no one?
> Please maybe some MCFT guys that monitor the forum could add any
> comments?
> TIA, Alex.
>
> alexbalaev@yahoo.com wrote:
> > Hello,
> > Every successful WMI connection to a remote box creates a couple of
> > entries into Security Event Log on the box: one for successful
login
> > and another one for logoff.
> > I can understand that the information should be logged - all
> > connections should be tracked.
> > However if sysadmin monitors (using a sort of notification)
security
> > log activity like who and when was logged into a box that could
> create
> > a problem. Because the sysadmin will be getting a lot of
> notifications
> > from multiple boxes...
> > Besides if WMI monitors something real-time (like every other time
> > interval) that could generate a lot of security event log entries
> too.
> > So the question is: Is there a way to disable such logging on a box
> so
> > that every WMI connection would not generate security event log
> entry?
> > Any help would be greatly appreciated,
> > Thanks, Alex.

Relevant Pages

  • Re: Logon Error - Event ID 533
    ... The suggestion regarding security logs should not apply if the overwrite option has been selected and you have the default maximum of 512 kb. ... How to Set Log Size and Overwrite Options ... The user cannot logon and no Profile folder is made, ... screen whether with a domain account or a local account from the ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Help with Security Logs
    ... Security" means that the event was generated by the security ... Primary User is the user context that actually performed the access; ... Client User is the user on behalf of whom the file was accessed. ... The Logon ID fields for Primary User and Client User identify a unique logon ...
    (microsoft.public.security)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help, Ive been hacked
    ... ID: 540 Source: Security ... > Event Type: Failure Audit ... > Event Category: Account Logon ... Your computer was not able to renew its address from the network ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cant delegate/share to a group
    ... Try changing the Distribution group to a security group. ... The client operation failed". ... > Event Type: Success Audit ... > Successful Network Logon: ...
    (microsoft.public.exchange2000.general)