Click here to get back home

NON STOP Event log -event id 538,540,576
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
NON STOP Event log -event id 538,540,576 DD 09-02-2007
Posted by DD on September 2, 2007, 11:44 pm
Please log in for more thread options
 One of the windows 2003 DC keep generating the 3 security event (EVENT id
538,540 & 576)

The security event log full after 3-5 minuts.

Not sure which application or services keep generating the security event,
please help


event id :538

User Logoff:
        User Name:        USGS0001$
        Domain:                SG
        Logon ID:                (0x0,0x75595CB)
        Logon Type:        3
Event id 540
Successful Network Logon:
        User Name:        USGS0001$
        Domain:                SG
        Logon ID:                (0x0,0x75595CB)
        Logon Type:        3
        Logon Process:        Kerberos
        Authentication Package:        Kerberos
        Workstation Name:        
        Logon GUID:        
        Caller User Name:        -
        Caller Domain:        -
        Caller Logon ID:        -
        Caller Process ID: -
        Transited Services: -
        Source Network Address:        10.192.100.2
        Source Port:        1818

Event id 540

Special privileges assigned to new logon:
        User Name:        USGS0001$
        Domain:                SG
        Logon ID:                (0x0,0x75595CB)
        Privileges:        SeSecurityPrivilege
                        SeBackupPrivilege
                        SeRestorePrivilege
                        SeTakeOwnershipPrivilege
                        SeDebugPrivilege
                        SeSystemEnvironmentPrivilege
                        SeLoadDriverPrivilege
                        SeImpersonatePrivilege
                        SeEnableDelegationPrivilege

For more information, see Help and Support Center at

Posted by Roger Abell [MVP] on September 4, 2007, 12:10 am
Please log in for more thread options
 It appears from the events given that a machine named
USGS0001 in the domain named SG is doing a network
logon (type 3) such as for access to a share, i.e. some
application/service on that machine that is running in the
System or the Network Service context is doing so.


> One of the windows 2003 DC keep generating the 3 security event (EVENT id
> 538,540 & 576)
>
> The security event log full after 3-5 minuts.
>
> Not sure which application or services keep generating the security event,
> please help
>
>
> event id :538
>
> User Logoff:
> User Name: USGS0001$
> Domain: SG
> Logon ID: (0x0,0x75595CB)
> Logon Type: 3
> Event id 540
> Successful Network Logon:
> User Name: USGS0001$
> Domain: SG
> Logon ID: (0x0,0x75595CB)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID:
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 10.192.100.2
> Source Port: 1818
>
> Event id 540
>
> Special privileges assigned to new logon:
> User Name: USGS0001$
> Domain: SG
> Logon ID: (0x0,0x75595CB)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
> SeEnableDelegationPrivilege
>
> For more information, see Help and Support Center at



Posted by jkeiser on October 2, 2007, 2:34 pm
Please log in for more thread options
I am getting the same 2 (538 & 540) and the antivirus server will not let the
clients update because the server is 'too busy'. Is this a possible DoS
attack?

"Roger Abell [MVP]" wrote:

> It appears from the events given that a machine named
> USGS0001 in the domain named SG is doing a network
> logon (type 3) such as for access to a share, i.e. some
> application/service on that machine that is running in the
> System or the Network Service context is doing so.
>
>
> > One of the windows 2003 DC keep generating the 3 security event (EVENT id
> > 538,540 & 576)
> >
> > The security event log full after 3-5 minuts.
> >
> > Not sure which application or services keep generating the security event,
> > please help
> >
> >
> > event id :538
> >
> > User Logoff:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Logon Type: 3
> > Event id 540
> > Successful Network Logon:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID:
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 10.192.100.2
> > Source Port: 1818
> >
> > Event id 540
> >
> > Special privileges assigned to new logon:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Privileges: SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeLoadDriverPrivilege
> > SeImpersonatePrivilege
> > SeEnableDelegationPrivilege
> >
> > For more information, see Help and Support Center at
>
>
>

Posted by Bobby on October 4, 2007, 10:10 am
Please log in for more thread options
I'm receiving the same messages, but we have our users being disconnected
from an application (QuickBooks) and loosing their data. Why are they being
logged off in the middle of the process?

"Roger Abell [MVP]" wrote:

> It appears from the events given that a machine named
> USGS0001 in the domain named SG is doing a network
> logon (type 3) such as for access to a share, i.e. some
> application/service on that machine that is running in the
> System or the Network Service context is doing so.
>
>
> > One of the windows 2003 DC keep generating the 3 security event (EVENT id
> > 538,540 & 576)
> >
> > The security event log full after 3-5 minuts.
> >
> > Not sure which application or services keep generating the security event,
> > please help
> >
> >
> > event id :538
> >
> > User Logoff:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Logon Type: 3
> > Event id 540
> > Successful Network Logon:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID:
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 10.192.100.2
> > Source Port: 1818
> >
> > Event id 540
> >
> > Special privileges assigned to new logon:
> > User Name: USGS0001$
> > Domain: SG
> > Logon ID: (0x0,0x75595CB)
> > Privileges: SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeLoadDriverPrivilege
> > SeImpersonatePrivilege
> > SeEnableDelegationPrivilege
> >
> > For more information, see Help and Support Center at
>
>
>

Similar ThreadsPosted
Re: NON STOP Event log -event id 538,540,576 October 2, 2007, 2:44 pm
Event 560 November 4, 2005, 12:51 pm
Event ID 529 December 5, 2005, 10:29 am
event id 22 February 14, 2006, 8:02 am
event id 836 and 837? March 23, 2006, 12:18 pm
Event ID 74 June 12, 2006, 4:10 pm
Event 697 and Event 565 September 19, 2006, 7:49 am
Event 531 July 5, 2007, 2:09 pm
Event Log Access July 8, 2005, 1:35 pm
Empty Event 529 August 4, 2005, 1:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap