Jump to content
Compatible Support Forums
Sign in to follow this  
sm5w2

Events 528/576 caused by

Recommended Posts

Occasionally I see a pair of entries in the event viewer security log that are attributed to "anonymous user".

 

Event 1:

 

Event ID: 528

User: NTAuthority/anonymous

Computer: (name of computer)

Source: Security

Type: Success Audit

Catagory: Logon/Logoff

Description:

Successful Logon:

User Name: (blank)

Domain (blank)

Login Id: (0x0,0x3639)

Logon Type: 3

Logon Process: KSecDD

Authentication Process:

Microsoft_Authentication_Package_V1_0

Workstation name: (blank)

 

 

Event 2:

 

Event ID:576

User: NT Authority/anonymous

Computer: (name of computer)

Source: Security

Type: Success Audit

Catagory: Privilege Use

Description:

Special privileges assigned to new logon:

User name; (blank)

Domain: (blank)

Login ID: (0x0,0x3635)

Assigned: SechangeNotifyPrivilege

 

 

They come in pairs, same date and time stamp. the item "0x36nn" seems to change a little, but it's always "0x36nn".

 

The item (blank) is really blank, empty space. The item (name of computer) is the name of the workstation.

 

There is no "anonymous" user in the user manager. System is NT4 server, SP6.

 

Should I be concerned with these items? If not, what are they?

 

Why is their no user name printed?

 

What is the Login ID?

 

 

 

Share this post


Link to post
Quote:

Should I be concerned with these items? If not, what are they?

No, it is normal. See this:
Quote:

[url=
http://www.derkeiler.com/Newsgroups/comp...02-02/0194.html
" title="httpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html titlehttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194htmlurlhttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html relnofollow targetblankhttpwwwderkeilercomNewsgroupscomp02020194html" rel="nofollow" target="_blank">http://www.derkeiler.com/Newsgroups/comp...0194.html

This is quite normal and shouldn't alarm you too much. The
'SeChangeNotifyPrivilege' is an advanced permission and bypasses traverse checking.


Quote:

Why is their no user name printed?

It is anonymous.. smile sorry, do not know. Perhaps it is Windows' internal activity which will not log username.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×