On 26 Jun 2005 at 11:44, Muhammad Khan wrote: > Hi, > Windows XP records event 528 for user logon and 538 for user logoff. > While looking into event-viewer I have seen that:- > 1. In most of the cases, the event 538 and 528 are recorded for the > same time (i.e. time of generation of event is same). Logically it > should be different so that one can track about the duration of system > usage by a particular user. If anyone can explain the logic behind > them and how distinct Logon ID could be used to correlate the logon > and logon processes to determine the system usage by different user. See http://www.heysoft.de/nt/eventlog/faqa1.htm#A8 > 2. A lot many events for ID 528 and 538 are generated for user name > Network Services and NT Authority. What is their utility. How can we > use them to track down auditing of system usage. You could try a tool I wrote for exactly this purpose - R528 from http://www.heysoft.de/nt/eventlog/ep-re.htm Frank Heyne _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Jun 28 2005 - 06:25:28 PDT