Distinguishing Windows NT Audit Event Records

 Last reviewed: February 9, 1998
Article ID: Q140714
The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

Auditing log on and log off events on Windows NT Workstation or Server versions 3.5 and 3.51 produces records in the Security Log. However, what appear to be identical records in the Security Log may actually record network log on and log off events, interactive log on and log off events, initial network connections to a share, or disconnects from the share.

Although these events may be identical at the summary level in the Security Log, the details screen makes some distinctions among them.

MORE INFORMATION

Here are the Event IDs and type designations for the most common log on and log off events: 

     Interactive logon     Event ID 528     Type 2
     Interactive logoff    Event ID 538     Type 2
     Network logon         Event ID 528     Type 3
     Net Use connection    Event ID 528     Type 3
     Network logoff        Event ID 538     Type 3
     Net use disconnection Event ID 538     Type 3
     Autodisconnect        Event ID 538     Type 3
When a user logs on or off the computer at the Windows NT console, the event is recorded in the Security Log. A successful log on event generates Event ID 528, Logon Type 2, and a User log off event generates Event ID 538, Logon Type 2, where Logon Type 2 indicates an interactive log on event. Double-click the event to bring up the Event Detail window, then check the Logon Type in the Description box.

The connection events are Logon Type 3, which indicates a network log on event. A successful Net Use or File Manager connection or a successful directed Net View to a Windows NT share generates Event ID 528, a successful log on event of Logon Type 3. An event is only generated by the initial connection from a particular user. Subsequent Net Views or Net Uses from the same user to the same computer do not generate any additional events unless the user has disconnected (or has been autodisconnected) from all shares.

See the Audit Category Help file (auditcat.hlp) in the Windows NT 3.51 Resource Kit for more information on audit event records. 

Keywords          : ntsecurity NTSrvWkst kbusage
Version           : WinNT:3.5,3.51,4.0
Platform          : winnt
Issue type        : kbinfo

================================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 9, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.