Event ID 538 & 540 whenuser did not logon

G

Guest

I can see in the Event Log several instances of Event ID 538 & 540 for users
that I know did not logon to a particular machine.

User Name: Username
Domain: Domain
Logon ID: (0x0,0x442D8F)
Logon Type: 3

The event happens with minutes of each other. At first I thought it was a
co-worker remotely connecting to a machine I was working since it would
appear on any machine that I remotely connected to but I dont believe that is
the situation.
One thing that may be noteworthy is we use Tight VNC within Ideal and Real
VMC to remotely conect to user's workstations.
Any help/suggestions/enlightenment would be greatly appreciated.

Thank you
 
S

Steven L Umbach

How do you know that they did not access the computer? If the computer with
these events in the security log has shares, maybe they were accessing files
via My Network Places. A connection via a remote management program would
certainly generate logon events also. --- Steve
 
G

Guest

There are no shares on the workstations that they would be connecting
to.(these are users workstations that do not house shares) I asked my
co-worker if they were connected and they said no. I have no shares on my
workstation either.

Thx - Jenny
 
S

Steven L Umbach

Jenny said:
There are no shares on the workstations that they would be connecting
to.(these are users workstations that do not house shares) I asked my
co-worker if they were connected and they said no. I have no shares on my
workstation either.

Thx - Jenny
Click to expand...
 
S

Steven L Umbach

Maybe not that you know of. Try running the command " net share " on your
computer. If anything is shown someone could be trying to connect to one of
those shares. Shares with $ after them are hidden but commonly known to many
users. Another possibility is that someone else has obtained another user's
password and is trying to connect to your computer impersonating that user
though the logon events should show the workstation that the logon came
from. If you do not need to be offering shares to other users or a need to
have your computers managed remotely via Computer Management or such you can
disable file and print sharing. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event Error Logs with Event ID 538 and 540 1
Event ID 538 vs 551 - strange behavior 0
event log 538 and 540 1
Auditing User logon/logoff events. 2
Event ID 538 and 540 : Security threat? 1
Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON 15
Excessive computer account logon/logoff loggining on security log 5
Event ID 540 2

Top