Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event Logs False Log In (I think)

Status
Not open for further replies.

gt6350a

Programmer
Feb 10, 2003
68
US
Here is the problem:

I just added a 2000 workstation to my NT testbed/network. I looked at the security event log and noticed that my user name was recorded as logging into one of the computers at an ungodly hour in the morning. I never logged into the computer, in fact I was already logged into it and I just had the simulation running and the screen locked. Basically, I would like to know if you can help me figure out how I could be shown as logging into my computer when I was already logged into it. I know that no one broke into our facility and logged me in. By the way, over the weekend I let a simulation run on that computer and I think that because it was running (it takes up all my processing power) somehow I think it recorded me as logging in. Does that sound possible?

As an aside: I called my alarm company and they said the alarm/motion detector etc never tripped. (By the way, I know no one broke in because our facility is EXTREMLY secure - it's a government building and if an alarm was tripped I would know. Also, there is NO access to our lab over the weekend, so I know no one was on the computer because it is beyond impossible to get in to our lab.)

Thank you!
 
Tis a possibility that a task (either a service or scheduled) may have started running under your security context.



Claudius (What certifications??)
 
I am not sure I understand what you are trying to say as I am new to this stuff. Can you please explain it in simpler terms for me to understand? Like what is a 'service, scheduled'? and why do you think that the starting of a 'service, scheduled' would make the system show me as logging in? Thank you SO much in advance for your response! :0)
 
I am still getting the same error. After further investigation I found the following inthe app log:

event 1704 - scecli - "Security policy in the group policy objects are applied successfully."

This event occurs exactly 5 minutes before every 528 event.

Also, event 64 (w32time) occurs after event 528 during random separations in time.
 
I am still getting the same error. After further investigation I found the following inthe app log:

event 1704 - scecli - "Security policy in the group policy objects are applied successfully."

This event occurs exactly 5 minutes before every 528 event.

Also, event 64 (w32time) occurs after event 528 during random separations in time.

I hope this helps shead more light on the matter. ;)
Thanks!
 
sound to me like your group policy is applying using your name...or like the above mentioned...

if there is any task, like backups, scheduled to run under your username, then you should be marked as logging in at that time, because it is logging you in to do the work essentially.

win2000 works very closely with the services, and the services are all tied to user accounts (usually system)
if it aint a service, then its probably a program running on schedules
 
hmmm....this sounds like we are heading somewhere. I have a question... what is a service and what is a schedule? The reason why I would like to know this is because I plan to go into the lab to look for a service/schedule but right now I have no idea what it is that I am looking for.

Thank you for your time.

 
Check in Control panel for Scheduled tasks. The properties should tell you what account is being used to run it.
As for services, you can find that in Administrative Tools which is in Control Panel as well. Probably check the properties for any services which are relating to applications installed by yourself.The Log On tab will give you whose ID is being used to run the service.

Claudius (What certifications??)
 
I just checked the services and all the services are logged on as "LocalSystem" except for "ASP .NET State Service" which is logged on as ".\ASPNET"

Also, there are no scheduled tasks running when I checked the Scheduled Tasks in Control Panel.

All great suggestions but I think it is deeper than that.

I also turned off the virus protection, windows update and time service Services.

Anymore ideas? I think we are narrowing things down. :0)
 
it is possible too that you may have just lost network connection for a few seconds and then it picked back up and logged you back in from your cached credentials...could be the case...but not positive

check to see if it reoccurs

 
hmmmm, i think a lost network connection would have shown up in the event log. since it did not, i am ruling that option out. sounds fair? if not please correct me.

thanks for th eidea though.

anyone else have any ideas?
 
it will show up in the system log but not as an error, it should be under tcp/ip source...could be a warning too, depending on the situations.

is this problem reoccurring, or did it just happen?

try to keep the machine on logged in for around the same time (weekend i think you said) period without the application running, and when you come back into the office, see if the same thing happened...if it didn't, repeat the whole process but only this time around run the app the whole time the exact same way. If it still doesn't happen, then you probably have an intruder coming into your network (since you said you checked all scheduled tasks and service accounts)

If your an administrator you should probably rename your username to something else, and check on the domain controllers to se if this is the case with any other accounts, and rename those as applicable

oh yea, does it give you a type inside of the 528 logon event? type 1, type 2, type 3, etc.?

 
>>is this problem reoccurring, or did it just happen?

Ans. IT IS REOCCURRING


>>try to keep the machine on logged in for around the same >>time (weekend i think you said) period without the >>application running, and when you come back into the >>office, see if the same thing happened...if it didn't, >>repeat the whole process but only this time around run >>the app the whole time the exact same way.

Ans. I DID THAT AND STILL SHOWS ME AS LOGGING IN. BUT JUST BECASUE THAT HAPPENS DOES NOT MEAN AN INTRUDER LOGGED IN. FOR INSTANCE, THERE COULD BE SOME OTHER SERVICE RUNNING CAUSING THE PROBLEM.



>>oh yea, does it give you a type inside of the 528 logon >>event? type 1, type 2, type 3, etc.?

Ans. TYPE 3

Thanks for your input. No offense, but I need a really creative solution, I have done all the basics to check for this occurnace, now I need some mid to high level ideas. Again, not offense, but I just am trying to let you guys know that I did the basics and am trying to save us some time reinventing the wheel. :0) Anymore suggestions?
 
ok got ya, alot of people dont know even the basics which is probably why you get mostly basic answers

this why i asked the type....

type 3 indicates a net use command

so thats what is causing it, there is something using your username to call something, you find it you end your logon problem i bet

view this link concerning the w32time error, not sure if your is the same, but its a start...w32time is of course the time service not being able to contact a DC to synchronize time

hope that helped ya
 
all serivce ar running locally. none are being run by the user who logged in. i checked into that as well.

thanks for the link. will investigate....
 
it doesnt have to be a service, it can be anything, a batch file, a printer...anything that can use the net use command can be what it is

services use a start and stop command to start and stop from the command-line, not net use, so this would not be related to the services.....

it also doesnt necesarily have to be local, it could be ran on a workstation or something and if you have auditing enabled for logon events it will track processes/things users complete over the network

type 3 can also indicate a file manager connection or a successful net view, as well as net use being a possibility
type 3 also usually indicates a disconnection and quick reconnection from a network resource, or an initial logon, additional net use commands, etc. would not be registerd into the event log after that time..the links will explain this better probably


your events are (should) not be related to each otehr though so solving one will (should) not help you with others

your GPOs are applying correctly as stated by the event id 1704 you mentioned above

and the timer event has no relationm to the logon either

i will say though that it is wierd that the policy applies 5 minutes before the logon takes place

but your 1704 event is an information event (should be with that successfully applied message) not an error right

heres some more links to check that may help


BWilson77080
MCSA+MCP, A+
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top