Events 528/576 caused by
Occasionally I see a pair of entries in the event viewer security log that are attributed to anonymous user. Event 1: Event ID: 528 User: NTAuthority/anonymous Computer: (name of computer) Source: Security Type: Success Audit Catagory: Logon/Logoff Description: Successful Logon: User Name: (blank) Domain (blank) Lo ...
Occasionally I see a pair of entries in the event viewer security log that are attributed to "anonymous user".
Event 1:
Event ID: 528
User: NTAuthority/anonymous
Computer: (name of computer)
Source: Security
Type: Success Audit
Catagory: Logon/Logoff
Description:
Successful Logon:
User Name: (blank)
Domain (blank)
Login Id: (0x0,0x3639)
Logon Type: 3
Logon Process: KSecDD
Authentication Process:
Microsoft_Authentication_Package_V1_0
Workstation name: (blank)
Event 2:
Event ID:576
User: NT Authority/anonymous
Computer: (name of computer)
Source: Security
Type: Success Audit
Catagory: Privilege Use
Description:
Special privileges assigned to new logon:
User name; (blank)
Domain: (blank)
Login ID: (0x0,0x3635)
Assigned: SechangeNotifyPrivilege
They come in pairs, same date and time stamp. the item "0x36nn" seems to change a little, but it's always "0x36nn".
The item (blank) is really blank, empty space. The item (name of computer) is the name of the workstation.
There is no "anonymous" user in the user manager. System is NT4 server, SP6.
Should I be concerned with these items? If not, what are they?
Why is their no user name printed?
What is the Login ID?
Event 1:
Event ID: 528
User: NTAuthority/anonymous
Computer: (name of computer)
Source: Security
Type: Success Audit
Catagory: Logon/Logoff
Description:
Successful Logon:
User Name: (blank)
Domain (blank)
Login Id: (0x0,0x3639)
Logon Type: 3
Logon Process: KSecDD
Authentication Process:
Microsoft_Authentication_Package_V1_0
Workstation name: (blank)
Event 2:
Event ID:576
User: NT Authority/anonymous
Computer: (name of computer)
Source: Security
Type: Success Audit
Catagory: Privilege Use
Description:
Special privileges assigned to new logon:
User name; (blank)
Domain: (blank)
Login ID: (0x0,0x3635)
Assigned: SechangeNotifyPrivilege
They come in pairs, same date and time stamp. the item "0x36nn" seems to change a little, but it's always "0x36nn".
The item (blank) is really blank, empty space. The item (name of computer) is the name of the workstation.
There is no "anonymous" user in the user manager. System is NT4 server, SP6.
Should I be concerned with these items? If not, what are they?
Why is their no user name printed?
What is the Login ID?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Quote:
Should I be concerned with these items? If not, what are they?
No, it is normal. See this:
Quote:
[url=
http://www.derkeiler.com/Newsgroups/comp...02-02/0194.html
" title="httpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html titlehttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194htmlurlhttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html relnofollow targetblankhttpwwwderkeilercomNewsgroupscomp02020194html"> http://www.derkeiler.com/Newsgroups/comp...0194.html
This is quite normal and shouldn't alarm you too much. The
'SeChangeNotifyPrivilege' is an advanced permission and bypasses traverse checking.
Quote:
Why is their no user name printed?
It is anonymous.. sorry, do not know. Perhaps it is Windows' internal activity which will not log username.
Should I be concerned with these items? If not, what are they?
No, it is normal. See this:
Quote:
[url=
http://www.derkeiler.com/Newsgroups/comp...02-02/0194.html
" title="httpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html titlehttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194htmlurlhttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html relnofollow targetblankhttpwwwderkeilercomNewsgroupscomp02020194html"> http://www.derkeiler.com/Newsgroups/comp...0194.html
This is quite normal and shouldn't alarm you too much. The
'SeChangeNotifyPrivilege' is an advanced permission and bypasses traverse checking.
Quote:
Why is their no user name printed?
It is anonymous.. sorry, do not know. Perhaps it is Windows' internal activity which will not log username.
