Event Viewer/ Success Audit


J

Jason

Okay, last week sometime someone hacked into my PC and
dropped the DAMEWARE software. Well, I removed it and
enabled audit success and failure logins. Well I noticed
that around 2:am in the event viewer this morning there
are success audits, and the user is NT AUTHORITY\SYSTEM.
Does this mean anything? How can I find if that person is
still accessing my pc? This pc has Filemaker on it and it
host databases (via IP/web).

Thanks for any input.

Jay
 
Ad

Advertisements

J

Jason Garms [MSFT]

Hi Jay,

"NT AUTHORITY\SYSTEM" is a built-in account that the
system itself uses. You can't actually logon as this
account from the logon screen, or over the network. You
will regularly see this audit event if you have logon/off
auditing enabled.

best,
-jasong
 
Ad

Advertisements

J

Jay

-----Original Message-----
Hi Jay,

"NT AUTHORITY\SYSTEM" is a built-in account that the
system itself uses. You can't actually logon as this
account from the logon screen, or over the network. You
will regularly see this audit event if you have logon/off
auditing enabled.

best,
-jasong
Thanks, I was getting worried there for a moment.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top