The User Logoff Event ID 538 Is Not Logged to the Security Event Log When You Shut Down Your Computer and Then Restart It

Symptoms

If you configure an audit policy to audit successful logon and logoff events, you may find that the user logoff audit event ID 538 is not logged to the security event log after you shut down your computer and then restart it.

Cause

This behavior occurs because during the shutdown process, the service that writes to the security event log is already stopped when the last token for the user who logs off is released. As a result, the user logoff audit event ID 538 is not logged to the security event log when you shut down your computer and then restart it. This behavior is by design.

Workaround

To work around this behavior, configure an audit policy to audit successful system events. To do this, follow these steps on the local computer.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Local Security Settings.
  3. Expand Local Policies, and then expand Audit Policy.
  4. In the right pane, double-click Audit system events.
  5. Click to select the Success check box, and then click OK.
  6. Restart the computer.
The following event ID is logged to the security event log:Also, if you are running Windows Server 2003 or Windows XP, the following event is logged to the security event log:
Propriedades

ID do Artigo: 828857 - Última Revisão: 4 de jan de 2008 - Revisão: 1

Comentários