Help with Event Viewer timetamp for login/logout?

S

Scott Ehrlich

I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server
acting as a Samba NT 4 PDC.

A review on the Windows machine's event viewer revealed a user's account
that only had a logout entry and a very unusual hour. Just before that
entry, someone else had logged in and logged out, but several hours
beforehand.

I keep very tight controls on the systems, and I'm the only one with
Admin/root rights.

What might be the cause of that unusual entry?

Thanks for any insights.

Scott
 
D

Dave Patrick

Take a look at all automatic scheduled processes.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Scott Ehrlich" wrote:
>
> I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server
> acting as a Samba NT 4 PDC.
>
> A review on the Windows machine's event viewer revealed a user's account
> that only had a logout entry and a very unusual hour. Just before that
> entry, someone else had logged in and logged out, but several hours
> beforehand.
>
> I keep very tight controls on the systems, and I'm the only one with
> Admin/root rights.
>
> What might be the cause of that unusual entry?
>
> Thanks for any insights.
>
> Scott
 
S

Scott Ehrlich

Are there any knowledgebase articles that refer to possibly delayed event
log write action - such as a person logging out of a machine, that
information being cached but never written to disk until another action
forces the cache flush, and when the cache is flushed, then the event is
noted - a delayed action making it seem the event took place later than it
did?

In article <701CC355-462C-424E-A2C8-058B632EC632@microsoft.com>,
Dave Patrick <DSPatrick@nospam.gmail.com> wrote:
>Take a look at all automatic scheduled processes.
>
>--
>
>Regards,
>
>Dave Patrick ....Please no email replies - reply in newsgroup.
>Microsoft Certified Professional
>Microsoft MVP [Windows]
>http://www.microsoft.com/protect
>
>"Scott Ehrlich" wrote:
>>
>> I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server
>> acting as a Samba NT 4 PDC.
>>
>> A review on the Windows machine's event viewer revealed a user's account
>> that only had a logout entry and a very unusual hour. Just before that
>> entry, someone else had logged in and logged out, but several hours
>> beforehand.
>>
>> I keep very tight controls on the systems, and I'm the only one with
>> Admin/root rights.
>>
>> What might be the cause of that unusual entry?
>>
>> Thanks for any insights.
>>
>> Scott

>
 
D

Dave Patrick

None that I'm aware of. I don't think it would work that way. Some service
or task may be configured to use that account. Try changing the password to
see what breaks.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Scott Ehrlich" wrote:
>
> Are there any knowledgebase articles that refer to possibly delayed event
> log write action - such as a person logging out of a machine, that
> information being cached but never written to disk until another action
> forces the cache flush, and when the cache is flushed, then the event is
> noted - a delayed action making it seem the event took place later than it
> did?
 
Back
Top Bottom