[BBLISA] Windows XP Event ID 551 and ID 538
Scott Ehrlich
scott at MIT.EDU
Fri Dec 14 19:43:41 EST 2007
Hello to all:
I know this is often a UNIX-based list, but I thought I'd see if I can
extract some Windows knowledge anyway...
I have a machine with auditing enabled, and have found some Event ID 551 (User
initiated logoff), then, at some point much later (hours or days) a subsequent
Event ID 538 (User logoff). There is no logon event anywhere near close to the
logoffs. These are on a Windows XP w/SP2 system on a Samba domain.
Microsoft's KB article 828857 is probably the closest I can get, but it is not
completely what I am getting.
Has anyone else experienced this:
- Event ID: 551 - Logoff - normal timestamp person might be using system
- Event ID: 538 - Logoff - long after ID 551 - possibly 12 hours, possibly
several days (when sorted by user)
Thanks.
Scott
More information about the bblisa
mailing list