You are currently offline, waiting for your internet to reconnect

Distinguishing Windows NT Audit Event Records

This article was previously published under Q140714
This article has been archived. It is offered "as is" and will no longer be updated.
Auditing log on and log off events on Windows NT Workstation or Serverversions 3.5 and 3.51 produces records in the Security Log. However, whatappear to be identical records in the Security Log may actually recordnetwork log on and log off events, interactive log on and log off events,initial network connections to a share, or disconnects from the share.

Although these events may be identical at the summary level in the SecurityLog, the details screen makes some distinctions among them.
Here are the Event IDs and type designations for the most commonlog on and log off events:

     Interactive logon     Event ID 528     Type 2     Interactive logoff    Event ID 538     Type 2     Network logon         Event ID 528     Type 3     Net Use connection    Event ID 528     Type 3     Network logoff        Event ID 538     Type 3     Net use disconnection Event ID 538     Type 3     Autodisconnect        Event ID 538     Type 3				

When a user logs on or off the computer at the Windows NT console, theevent is recorded in the Security Log. A successful log on event generatesEvent ID 528, Logon Type 2, and a User log off event generates Event ID538, Logon Type 2, where Logon Type 2 indicates an interactive log onevent. Double-click the event to bring up the Event Detail window, thencheck the Logon Type in the Description box.

The connection events are Logon Type 3, which indicates a network log onevent. A successful Net Use or File Manager connection or a successfuldirected Net View to a Windows NT share generates Event ID 528, asuccessful log on event of Logon Type 3. An event is only generated by theinitial connection from a particular user. Subsequent Net Views or Net Usesfrom the same user to the same computer do not generate any additionalevents unless the user has disconnected (or has been autodisconnected) fromall shares.

See the Audit Category Help file (auditcat.hlp) in the Windows NT 3.51 Resource Kit or otherwise in Windows NT Server and Workstation 4.0 Resource Kits for more information on audit event records.

Article ID: 140714 - Last Review: 12/04/2015 12:32:25 - Revision: 2.2

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbinfo kbusage KB140714