UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 540 - Successful Network Logon

The computer name PCxxxx$ in 540 User field

hunnypot — Thu, 20 May 2010 04:57:26 GMT

Hi all,

I was checking log from my domain controllers and I saw 540 messages with a strange value in the user field.

user = PC1122$
computer = DC2
workstation name = PC3344

Why did I see the computer name in the user field instead of the log on user's name? And what does it mean?

I have W2003 domain controllers and XP clients (name starting with PCxxxx).

Thank you for your answer/explanation.

Layout of fields in 540 event ?

michaelluch — Wed, 21 Apr 2010 06:45:19 GMT

I use a script to parse 540 events in the Security Log.
In some cases I see and event like this
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"writetime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"computer" => "TTESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => 'TestUser1',
"1" => 'TEST_DOM',
"2" => '(0x0,0x7D709A)',
"3" => '3',
"4" => 'Kerberos',
"5" => 'Kerberos',
"6" => '',
"7" => '{7a49e72b-ae5b-9137-633e-a392ed0569f2}',
"8" => '-',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '10.125.58.195',
"14" => '0',
}

other events appear like this (see the values in the String part, ip addres in field 13 or 14 for example)
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"writetime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"computer" => "TESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => '',
"1" => 'TestUser2',
"2" => 'TEST_DOM',
"3" => '(0x0,0x7DAC7A)',
"4" => '3',
"5" => 'Kerberos',
"6" => 'Kerberos',
"7" => '',
"8" => '{87e77d0a-64ae-432a-89f4-d62ba36b4966}',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '-',
"14" => '10.125.58.131',
}

Any suggestions why the event would be stored differently ?

thanks

Many 540/538 events during short period of time.

Pablo — Mon, 25 Jan 2010 04:19:12 GMT

Hello

I wonder why are there so many 540/538 entries (each 540/538 pair with the same logon id) during so short period of time? It is even twice per second and is related to many users and workstations accounts.

Besides from time to time some users (WinXP/Vista) can't login to AD. There is no strict rule - each time that problem is related to different users accounts.

Thanks for your precious explanations/help
Pablo

P.S.
Does anyone knows how to paste attachments here?

Unexplained 540 events on W2K workstation in a domain

kr_lly — Mon, 12 Oct 2009 13:23:35 GMT

Does anyone have an explanation for this sequence of three Events on a W2K workstation that's in a domain? The workstation name is WK3577. The user in this case (AM\User1) is a valid domain user but there is no logical connection between them and this workstation. The are multiple user accounts generating these Events.

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x564620)
Assigned: SeChangeNotifyPrivilege

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Successful Network Logon:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/11/2009
Time: 11:47:21 PM
User: AM\User1
Computer: WK3577
Description:
User Logoff:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3

Multiple event 540 and 538 entries

netwit — Mon, 28 Sep 2009 09:52:16 GMT

What would cause one user to fill the event log on my domain server with event 540 and 538 entries? I am talking over 1 million in 24 hours. I can't detect any virus or spyware on the system and the system seems to run normally but only shutting off the user PC stops the stream of event losgs.

machine accounts in code 540, 538 events

Clay — Mon, 27 Apr 2009 10:45:59 GMT

Our WS2003 Event Viewer Security log contains many more machine log-ins than user account logins. Is this a normal, useful configuration, or have we bollixed something?

EID - 540

kitchu25 — Fri, 14 Aug 2009 03:18:41 GMT

Hi,

I am doing audit review for my company. In a server I can see in the log for EID - 540 from which workstation the access is made.

Here I is the see log details:

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F637364) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Htf1

Here I can not see the same in the server :

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F669D39) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name:

Is there any differnace in this NtLmSsp Authentication Package and Kerberos Authentication Package in capturing the logs...

Kishore

Logon Types for 540?

Braino — Mon, 11 May 2009 19:24:41 GMT

Hey -

I noticed the description says this eventid (540) only happens for logon type 3. This isn't true as it also happens for Logon type 8 (NetworkClearText - most likely a Basic Authentication to IIS).

Is this right? Does EventID 528 ever show Logon type 8? Do any other logon types show on EventID 540?

Thanks,

Braino! ;)