Hi, Windows XP records event 528 for user logon and 538 for user logoff. While looking into event-viewer I have seen that:- 1. In most of the cases, the event 538 and 528 are recorded for the same time (i.e. time of generation of event is same). Logically it should be different so that one can track about the duration of system usage by a particular user. If anyone can explain the logic behind them and how distinct Logon ID could be used to correlate the logon and logon processes to determine the system usage by different user. 2. A lot many events for ID 528 and 538 are generated for user name Network Services and NT Authority. What is their utility. How can we use them to track down auditing of system usage. Thanks for your cooperation, regards, Muhammad Naeem Khan _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Jun 27 2005 - 10:00:25 PDT