Win2K Logoff Audit Failure
Results 1 to 10 of 10

Thread: Win2K Logoff Audit Failure

  1. #1
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828

    Win2K Logoff Audit Failure

    Using Win2K w/ SP3 I have noticed it fails to audit a logoff if you shutdown or pull the plug on your system. Is there a way to prevent this or easily recognize this event?

  2. #2
    Junior Member
    Join Date
    Jul 2003
    Posts
    24
    Any Policies Apply ?
    Group, Local, Domain ?
    Ruslan K. Abu Zant
    eReg(c) Internet Services
    http://ereg.info/ | http://gold-directory.com/ | http://xui.info/

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Sorry, you're outta luck. Remember, it logs success or failure of *logins*, not logoffs.

    What would be interesting to see is if W2K3 logs power failures or the like. Hmmmm, time to test...
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    There is no way to log a power failure without windows knowing there is one. If the PC shuts off there is no way for the OS to log it. It's off - memory and cpu are bye bye. (just having fun, it's almost time to get a beer)

    The only way - is to have some intermediary device that detects the power cycle or bump and uses itself to keep the PC on long enough to place an entry in the event log or it own logging function. A.KA. UPS And hopefull is sophisticated enought to issue a shutdown command to windows.

    I haven't looked at some of the advanced policies in active directory but I will look into it... tomorrow!

    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Logins 528 Logoffs 538 (it audits both)
    Does that mean you had 10 unsuccessful logins?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Originally posted here by RoadClosed

    Logins 528 Logoffs 538 (it audits both)
    Does that mean you had 10 unsuccessful logins?
    Nah, it means they've been hacked 10 times and the login logs cleared... Can't clear the logoff one once you're gone though
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Actually, you can determine that a power failure or some other unusual shutdown took place from the event logs. I don't recall the event ID or whatever but there is an entry that goes into the system log that states that "the last shutdown was unexpected". Thus, if you yank the power cord then when you restart the machine it will place that entry in the log.

    What RoadClosed is trying to say is that M$ has what are called logon types when logon auditing is turned on. A logon type 528 is a successful logon and a logon type 538 is a successful logoff. Technically there should be one of each.... Practically it doesn't seem to be the case but that's maybe because the connection is persistent. Either way, if you are looking for the matching logon type 538 for a logon type 528 for a given user and it doesn't appear flip over to the system log for the timeframe and make sure that there wasn't a "the last shutdown was unexpected" error in there.

    [Edit] Damn keyboard is all messed up - types the wrong letters all the time.... Honest.... [/edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Does anyone have any information supporting TigerShark's comment in regards to the unexpected shutdown being audited? Maybe a test to confirm it works and if so how is it audited?

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    OK here goes... clearing event log..... pulling plug....

    Nothing on my XP default install idicates some kind of unsual shutdown. I know we are talking 2k here but I have nothing.... you can see some services starting a minute later to clue in on but nothing that states in black and white that an unkown shutdown happened. So I dug a little and realized there are some options on how XP handles this item...
    search on "event log" in windows help returns these options:

    -----------------------------------------------
    To specify what Windows does if the system stops unexpectedly
    You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

    Open System in Control Panel.
    On the Advanced tab, under Startup and Recovery, click Settings.
    Under System Failure, select the check boxes that correspond to the actions you want Windows to perform if a Stop error occurs:
    Write an event to the system log specifies that event information will be recorded in the system log.
    Send an administrative alert specifies that your system administrator will be notified.
    Automatically reboot specifies that Windows will automatically restart your computer.
    Under Write Debugging Information, choose the type of information you want Windows to record when the system stops unexpectedly:
    Small Memory Dump records the smallest amount of information that will help identify the problem. This option requires a paging file of at least 2 MB on the boot volume of your computer and specifies that Windows will create a new file each time the system stops unexpectedly. A history of these files is stored in the directory listed under Small Dump Directory.
    Kernel Memory Dump records only kernel memory, which speeds up the process of recording information in a log when the system stops unexpectedly. Depending on the amount of RAM in your computer, you must have 50 MB to 800 MB available for the paging file on the boot volume. The file is stored in the directory listed under Dump File.
    Complete Memory Dump records the entire contents of system memory when the system stops unexpectedly. If you choose this option you must have a paging file on the boot volume large enough to hold all of the physical RAM plus one megabyte (MB). The file is stored in the directory listed under Dump File.

    -------------------------------------------------------


    I have them all checked so I don't think windows considered a power pull an event? According to my settings an Administrator Alert should be sent, then a restart...?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    According to this KB article Event ID: 6008 indicates that the normal shutdown procedure was not followed insofar as the event log was not notified of a proper shutdown occurrence thus at the subsequent restart Event ID: 6008 is entered into the system log. If this is the case then any unusual shutdown should trigger the 6008 error...... But then this is M$.....

    I know that it has been pretty reliable on my servers as an indication of an unusual shutdown such as after a power failure when we find out that our UPS battery was dead.....<sigh> No harm done though.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •