LoginID is a unique hex value assigned to each logon session. If you
cross-refrence the LoginID from a Successful Logon event with the same
LoginID from a Successful Logoff event, you can determine how long the
session lasted (i.e., how long the user was logged on to the system).
Foundstone's free NTLast utility can extract that information for you (works
better on NT than 2000, but will support both OSes).
Randy Franklin Smith wrote a great series of articles for Windows & .NET
Magazine on the Event Viewer in both NT and Windows 2000. There are 5 - 6
articles in each series and they are a good introduction to making sense of
the event logs (see below).
Regards,
Jennifer
www.winntmag.com
Windows 2000 auditing:
"Auditing Windows 2000" (July 2000, InstantDoc ID#9633)
"Tracking Logon and Logoff Activity in Win2K (February 2001,
InstantDoc ID #16430)
"Auditing Account Logon Events" (March 2001, InstantDoc ID#19677)
"Mining the Win2K Security Log" (April 2001, InstantDoc ID #20052)
"Keeping Tabs on Object Access" (June 2001, InstantDoc ID #20563)
"Win2K Security Log Roundup" (July 2001, InstantDoc ID#21132)
Windows NT auditing:
"Introducing the NT Security Log" (March 2000, InstantDoc ID#8056)
"Interpreting the NT Security Log" (April 2000, InstantDoc ID#8288)
"Monitoring Privileges and Administrators in the NT Security Log"
(June 2000, InstantDoc ID#8696)
"Protecting the NT Security Log" (July 2000, InstantDoc ID#8785)
"Archiving and Analyzing the NT Security Log" (August 2000,
InstantDoc ID#9043)
-----Original Message-----
From: Peter Snell [mailto:PSnell (at) daymon (dot) com [email concealed]]
Sent: Monday, January 13, 2003 7:20 AM
To: John Smith; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Understaing Event Details in Windows NT
www.eventid.net is a good resource for researching events if you have an
Event ID from the viewer.
LoginID is probably referencing the SID,
Logon Type 3 is a network logon,
Logon Process KSecDD is the Kerberos Security Device Driver.
You can build a list that maps the SID's to usernames like this:
1.Dump the user list to a text file with the NET USERS command or with
Addusers.exe.
2.Modify this text file to remove unwanted information (headers, and so
forth).
3.Modify the resulting list of user names into a batch file, using the
GETSID resource kit utility to translate each user name into a SID. Redirect
the output to a text file.
4.When you encounter a SID, search the text file (created previously) for
that SID. This will place you on the line with the user's name.
Hope this helps,
Pete
-----Original Message-----
From: John Smith [mailto:for3nsics (at) yahoo.com (dot) au [email concealed]]
Sent: Sunday, January 12, 2003 11:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Understaing Event Details in Windows NT
Hi all,
I'm curious to know what the contents of the event
details mean in MS event Viewer.
i.e. How do you deterime from a successful Logon that
the user only viewed event logs remotely and didn't
mount a share ?
Some other quesiton:
What does "LoginID: (0x0,0xDFA0E5)" mean ?
What does "Logon Type: 3" mean ?
What does "Logon Process: KSecDD" mean ?
Thanks in advance.
http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your seasons greetings online this year!
cross-refrence the LoginID from a Successful Logon event with the same
LoginID from a Successful Logoff event, you can determine how long the
session lasted (i.e., how long the user was logged on to the system).
Foundstone's free NTLast utility can extract that information for you (works
better on NT than 2000, but will support both OSes).
Randy Franklin Smith wrote a great series of articles for Windows & .NET
Magazine on the Event Viewer in both NT and Windows 2000. There are 5 - 6
articles in each series and they are a good introduction to making sense of
the event logs (see below).
Regards,
Jennifer
www.winntmag.com
Windows 2000 auditing:
"Auditing Windows 2000" (July 2000, InstantDoc ID#9633)
"Tracking Logon and Logoff Activity in Win2K (February 2001,
InstantDoc ID #16430)
"Auditing Account Logon Events" (March 2001, InstantDoc ID#19677)
"Mining the Win2K Security Log" (April 2001, InstantDoc ID #20052)
"Keeping Tabs on Object Access" (June 2001, InstantDoc ID #20563)
"Win2K Security Log Roundup" (July 2001, InstantDoc ID#21132)
Windows NT auditing:
"Introducing the NT Security Log" (March 2000, InstantDoc ID#8056)
"Interpreting the NT Security Log" (April 2000, InstantDoc ID#8288)
"Monitoring Privileges and Administrators in the NT Security Log"
(June 2000, InstantDoc ID#8696)
"Protecting the NT Security Log" (July 2000, InstantDoc ID#8785)
"Archiving and Analyzing the NT Security Log" (August 2000,
InstantDoc ID#9043)
-----Original Message-----
From: Peter Snell [mailto:PSnell (at) daymon (dot) com [email concealed]]
Sent: Monday, January 13, 2003 7:20 AM
To: John Smith; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Understaing Event Details in Windows NT
www.eventid.net is a good resource for researching events if you have an
Event ID from the viewer.
LoginID is probably referencing the SID,
Logon Type 3 is a network logon,
Logon Process KSecDD is the Kerberos Security Device Driver.
You can build a list that maps the SID's to usernames like this:
1.Dump the user list to a text file with the NET USERS command or with
Addusers.exe.
2.Modify this text file to remove unwanted information (headers, and so
forth).
3.Modify the resulting list of user names into a batch file, using the
GETSID resource kit utility to translate each user name into a SID. Redirect
the output to a text file.
4.When you encounter a SID, search the text file (created previously) for
that SID. This will place you on the line with the user's name.
Hope this helps,
Pete
-----Original Message-----
From: John Smith [mailto:for3nsics (at) yahoo.com (dot) au [email concealed]]
Sent: Sunday, January 12, 2003 11:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Understaing Event Details in Windows NT
Hi all,
I'm curious to know what the contents of the event
details mean in MS event Viewer.
i.e. How do you deterime from a successful Logon that
the user only viewed event logs remotely and didn't
mount a share ?
Some other quesiton:
What does "LoginID: (0x0,0xDFA0E5)" mean ?
What does "Logon Type: 3" mean ?
What does "Logon Process: KSecDD" mean ?
Thanks in advance.
http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your seasons greetings online this year!
[ reply ]