Strange logons...
We have noticed that a number of our administrators 'admin' accounts appear to logon to one of our servers at toally random times, including all through the night. These always generate the same three event ID's in the security log (538, 576 and 540) within 1 second.Is there a way of finding out what is causing these accounts to be logging on at these times. We know for a fact that the admins are not logging on themselves at these times.It only appears to be on this server as well.Any help appreciated.All our servers are 2003 in case you were wondering.
November 12th, 2009 4:45pm

You may want to check to make sure that there are no service or application running using the said admin accounts.Isaac Oben MCITP:EA, MCSE
Free Windows Admin Tool Kit Click here and download it now
November 12th, 2009 4:59pm

There are none that I can see. They appear to be accessing the server via the network from a remote computer or from this machine via a network share, and we do not (should not!) have any services running under the admins creds on any server.
November 12th, 2009 6:03pm

Did you check for scheduled tasks that run under these user ids? One of the events should give you the source IP address of the server the actual logon was from.
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2009 6:27am

Hi, A bit more info for you... I have copied the Events below so you can see exactly what is happening (sensitive info removed):--------------------------------------------------------------------------------------------------------Event Type:Success AuditEvent Source:SecurityEvent Category:Logon/Logoff Event ID:538Date:13/11/2009Time:03:23:10User:ABCD\admin_usernameComputer:SERVERNAMEDescription:User Logoff:User Name:admin_usernameDomain:ABCDLogon ID:(0x0,0xF0C26F4)Logon Type:3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------------------------------------------------------------------------------------- Event Type:Success AuditEvent Source:SecurityEvent Category:Logon/Logoff Event ID:576Date:13/11/2009Time:03:23:10User:ABCD\admin_usernameComputer:SERVERNAMEDescription:Special privileges assigned to new logon:User Name:admin_usernameDomain:ABCDLogon ID:(0x0,0xF0C26F4)Privileges:SeSecurityPrivilegeSeBackupPrivilegeSeRestorePrivilegeSeTakeOwnershipPrivilegeSeDebugPrivilegeSeSystemEnvironmentPrivilegeSeLoadDriverPrivilegeSeImpersonatePrivilege For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------------------------------------------------------------------------------------- Event Type:Success AuditEvent Source:SecurityEvent Category:Logon/Logoff Event ID:540Date:13/11/2009Time:03:23:10User:ABCD\admin_usernameComputer:SERVERNAMEDescription:Successful Network Logon:User Name:admin_usernameDomain:ABCDLogon ID:(0x0,0xF0C26F4)Logon Type:3Logon Process:Authz Authentication Package:KerberosWorkstation Name:SERVERNAMELogon GUID:-Caller User Name:SERVERNAME$Caller Domain:ABCDCaller Logon ID:(0x0,0x3E7)Caller Process ID: 1036Transited Services: -Source Network Address:-Source Port:- For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --------------------------------------------------------------------------------------------------------Now, in the last event I noticed that this is being run under PID 1036. Looking at Task Manager this is shown to be svchost (who'd have thought...), so a quick check on the services running under this svchost instance gives: svchost.exe 1036 AeLookupSvc, BITS, Browser, CryptSvc, dmserver, EventSystem, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, ShellHWDetection, TrkWks, winmgmt, wuauserv, WZCSVC These all appear to be standard MS services so I'm not really sure if this helps or not... I'm not really any closer to finding out why this server is behaving like it is.Again, any help appreciated.
November 13th, 2009 1:58pm

Sorry, I realised I didn't really answer the question.There is only one scheduled task that runs each night and that is set to use our scheduled task admin account.Cheers,
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2009 2:02pm

Caller User Name:SERVERNAME$This should the source computer name. You need to check that computer.
November 13th, 2009 3:18pm

This is the same server that is logging the events. i.e. It is logging on to itself.From event 540---Workstation Name:SERVERNAMECaller User Name:SERVERNAME$---These are the same server
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2009 4:29pm

What is installed on this computer? There may be some application that has it own scheduled tasks, impersonation settings, etc.Its time consuming, but run the dcomcnfg.exe drill into Computer>My Computer>Com+ Applications and DCOM ConfigCheck the identity tab of each listed time for the account in questionSimpler alternative is to change the password on the account and see what breaks.
November 13th, 2009 6:16pm

I like the 'change the password and see what breaks' approach but seeing as this is our main Finance server this might be frowned upon...I'll go down the DCOM route I think...Ta.
Free Windows Admin Tool Kit Click here and download it now
November 13th, 2009 6:54pm

If the Dcom Trick doesnt work, you could run a login script which generates more information for you. Weve done that with KiX Script instead of Powershell.We Log:LoginTimeLogoffTimeRemote ComputerRemoteIpUserNamerUserGroupChanging the Password and see what breakes doesnt work very well on Live Servers.
November 16th, 2009 3:41am

Yeti,How did the DCOM research go?Other ideas...Since the event log shows you the Process ID (PID), and you know its svchost.exe. You can, one at a time stop those services and watch in Task Manager for the matching svchost PID to stop. Maybe if you identify the service you may figure out the issue. I really think is an application that is configured with this user id, and it uses it internally.Here is a more complete list of svchost processes and services.Windows 2003 Default SVCHost Serviceshttp://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Windows%202003%20Default%20SVCHost%20Services.aspxAnother option would be to enable process tracking in the audit settings. This may help identify the processes involved. Or you can try Process Monitor from microsoft/sysinternals to capture a log of all process starting and stopping.
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2009 5:26pm

Hi,I did go through all the DCOM entries and checked the permissions. None of these had the admin accounts explicitly named. However, there were a few that had the local Administrators group allowed whichthe admins will be a member.I will try having a look at Process Monitor.thanks
November 17th, 2009 5:07pm

HiI have been monitoring the server with Process Monitor but have drawn up a blank. I have been capturing events and have seen the logons appear in the security event viewer yet nothing appears in Process Monitor. I have applied a filter that uses the 'Username contains' condition for the admin in question but nothing is displayed.I'm somewhat confused now...Any help appreciated.
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2009 1:12pm

Like i said before, get some Login/Logoff Script to work, as described here: http://s22jgs.wordpress.com/2009/03/22/audit-login-and-logout-events-using-login-scripts/so you can see who is logging in, from where, when etc.Process Tools are fine for processes you know, if you dont know exactly what to audit, youll probably never find the correct process.
November 18th, 2009 2:35pm

Do search in the description for the username instead.
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2009 6:37am

Hi,The only issue I have with this is that I know the username that is being used and the computer name that it is coming from. I need to know what it is that is causing the logons, hence going down the process route.Cheers
November 19th, 2009 12:08pm

Progress!!!Have managed to capture a logon with Process Monitor. Details as follows:Process Name: svchost.exePID: 1036Operation: Load ImagePath: C:\Windows\system32\wbem\wbemcons.dllDetail: Image Base: 0x73c8000, Image Size: 0xe000Description: Generic Host Process for Win32 ServicesUser: NT AUTHORITY\SYSTEMThere arefive entries around the time of the logon events,two Thread creates, Load Image, Thread Create and Thread Exit. The Load image is the only one with any obvious detail. Now, the question still remains why are various admin logons happening at random times? Would this be anything to do with MOM? I was wondering if MOM was using WMI to query a system object and was using the account that created the query? I don't know, I'm guessing.Thanks for you time.
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2009 1:15pm

Its probably MOM as you think....change the user id in MOM and you can verify.If its not MOM then it is clearly some other application using WMI to connect.Best practice is to have separate service accounts for these type of things.Best Practices for creating Service Accounts to access Active Directoryhttp://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Best%20Practices%20for%20creating%20Service%20Accounts%20to%20access%20Active%20Directory.aspx
November 19th, 2009 4:38pm

Check out this link: http://techblog.wanierke.de/2009/09/23/service-stoppsstarted-event-id-540-logonlogoff-by-username/print/
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2009 4:57pm

This looks very promising. Will discuss with my manger whether or not to implement suggestions.Thanks for all your help.
November 20th, 2009 12:47pm

Having had a look at this, every time the WinHttpAutoProxySvc (the most common service restart) restarts we get the logons appear in the security logs. So it would appear that the above link may well be the way to go.
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2009 1:19pm

I always disable the WinHttpAutoProxySvc service. It's not very useful unless you actually use a proxy and require this service.
November 20th, 2009 6:39pm

I had the exact same situation, but it was my own Admin account that was showing up. The solution proposed in that article fixed it.No reboot required, no service interruption.
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2009 6:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics