Constant Logon/Logoff 538 540

[Guest]

Sorry, I know this issue has been brought up many times but there seems to be no real answer that I can find
My XP Homes are constantly generating 538 and 540 Type 3 Anonymous logons every 10 seconds or so on my network
Very annoying and useless as far as I can tell. Only 1 Admin account on machines with guest account off. No spyware. Not using Logon Screen. My XP Pro machines are fine
Can someone suggest a definite solution to this or is this just a nonfixable bug?

 

[Roger Abell]

I do not use Home Edition, but know you cannot directly access
as much such as using Local Security Policy, where in Pro edition
you can manage these reg keys in the HKeyLocalMachine hive:

System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
System\CurrentControlSet\Control\Lsa\RestrictAnonymous
System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
These are all of type REG_DWORD
See if on this system the first is set to 0 and the last to set to 1

Do you see this in the event log when the machine has its network
wire disconnected ??

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Sorry, I know this issue has been brought up many times but there seems to

be no real answer that I can find.

My XP Homes are constantly generating 538 and 540 Type 3 Anonymous logons

every 10 seconds or so on my network.

Very annoying and useless as far as I can tell. Only 1 Admin account on

machines with guest account off. No spyware. Not using Logon Screen. My XP
Pro machines are fine.

Can someone suggest a definite solution to this or is this just a

nonfixable bug?

 

[Kevin]

Sorry, I know this issue has been brought up many times but there seems to

be no real answer that I can find.
every 10 seconds or so on my network.
machines with guest account off. No spyware. Not using Logon Screen. My XP
Pro machines are fine.
nonfixable bug?

I agree. This is a very annoying issue. I found a post from a MVP
dated almost a year ago, that mentioned this is a normal condition for
Home Edition systems with "file/print sharing" active. Adding, if the
system is behind a firewall there would be no need to worry. However,
I don't think its good to see these false/positive events listed. If
someone by some extraordinary method was able to gain access to a Home
Edition system. There currently is no way to determine the true nature
of the event. Microsoft should address this as soon as possible to
give Home Edition users confidence that their systems aren't being
compromised.

On my Win200 client which has "file/print sharing" active, the
security log is clear of 538/540 events.

-k

 

[tder1]

Thanks for the reply Roger, I will have to see if I can
access the Reg. Keys you speak of on the Homes. Not sure
and they are at work. All the logging activity does stop
when I disconnect the machine from the Network though.

 

[news]

Home seems to be the only OS with this issue and hard to
believe they would allow this annoyance to continue for
this long when MS could come up with a fix. It surely
could become a large security problem with all the homes
out there. They may explain it away as benign but a
machine needs to poll the other clients only once or on
demand!! I have seen the all past inquiries about this
issue with no solution. This useless polling takes up
machine resources as well as bandwidth on the Network.

Its also hard to imagine why this issue doesn't get more visibility to the
MS security team. There are hundreds of postings about this. And the MVPs
and other XP experts just say that Home users should ignore the events being
logged. Unbelievable! What can be done to escalate this issue? What's the
point of having the events being logged if they don't you the truth or fully
explain what's going on within the LAN?