Distinguishing Windows NT Audit Event Records

ID: Q140714

The information in this article applies to:

Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

Auditing log on and log off events on Windows NT Workstation or Server versions 3.5 and 3.51 produces records in the Security Log. However, what appear to be identical records in the Security Log may actually record network log on and log off events, interactive log on and log off events, initial network connections to a share, or disconnects from the share.

Although these events may be identical at the summary level in the Security Log, the details screen makes some distinctions among them.

MORE INFORMATION

Here are the Event IDs and type designations for the most common log on and log off events:


     Interactive logon     Event ID 528     Type 2
     Interactive logoff    Event ID 538     Type 2
     Network logon         Event ID 528     Type 3
     Net Use connection    Event ID 528     Type 3
     Network logoff        Event ID 538     Type 3
     Net use disconnection Event ID 538     Type 3
     Autodisconnect        Event ID 538     Type 3

When a user logs on or off the computer at the Windows NT console, the event is recorded in the Security Log. A successful log on event generates Event ID 528, Logon Type 2, and a User log off event generates Event ID 538, Logon Type 2, where Logon Type 2 indicates an interactive log on event. Double-click the event to bring up the Event Detail window, then check the Logon Type in the Description box.

The connection events are Logon Type 3, which indicates a network log on event. A successful Net Use or File Manager connection or a successful directed Net View to a Windows NT share generates Event ID 528, a successful log on event of Logon Type 3. An event is only generated by the initial connection from a particular user. Subsequent Net Views or Net Uses from the same user to the same computer do not generate any additional events unless the user has disconnected (or has been autodisconnected) from all shares.

See the Audit Category Help file (auditcat.hlp) in the Windows NT 3.51 Resource Kit for more information on audit event records.


Keywords          : kbusage ntsecurity NTSrvWkst 
Version           : WinNT:3.5,3.51,4.0
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: January 30, 1999