Click here to get back home

Unknown Security Event
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Unknown Security Event Joel G. Brown 12-27-2006
Posted by Joel G. Brown on December 27, 2006, 9:08 am
Please log in for more thread options
 Hello Everyone,
We are getting some security events that almost all the of
properities are getting logged as unknown. Can someone explain the
cases when this can happen or how to research such events? Below is an
example of the event:

Session reconnected to winstation:
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)

The Event ID is a 682

Thank you,
Joel G. Brown

Posted by Anders Bengtsson on December 27, 2006, 9:43 am
Please log in for more thread options
 Hi Joel

Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.

--

Regards
Anders Bengtsson [MCSE, MCSA, MCP] | anders AT contoso.se |
http://www.contoso.se


> Hello Everyone,
> We are getting some security events that almost all the of properities
> are getting logged as unknown. Can someone explain the cases when this
> can happen or how to research such events? Below is an example of the
> event:
>
> Session reconnected to winstation:
> User Name: Unknown
> Domain: Unknown
> Logon ID: (0x0,0x0)
>
> The Event ID is a 682
>
> Thank you,
> Joel G. Brown



Posted by Joel G. Brown on December 27, 2006, 10:09 am
Please log in for more thread options
Anders Bengtsson wrote:

> Hi Joel
>
> Please look at this KB http://support.microsoft.com/kb/889187
> If that not help please post the hole alert, with all parameters.
>
Hello and Thank you for the prompt response. The interesting thing is
sometimes it works correctly and other times is does not.

Below are a few sample entries
Event Type:        Success Audit
Event Source:        Security
Event Category:        Logon/Logoff
Event ID:        682
Date:                12/21/2006
Time:                9:27:19 AM
User:                NT AUTHORITY\SYSTEM
Computer:        ********
Description:
Session reconnected to winstation:
        User Name:        Unknown
        Domain:                Unknown
        Logon ID:                (0x0,0x0)
        Session Name:        RDP-Tcp#11
        Client Name:        USABBWND16016
        Client Address:        130.110.199.127

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type:        Success Audit
Event Source:        Security
Event Category:        Logon/Logoff
Event ID:        682
Date:                12/17/2006
Time:                6:07:05 AM
User:                NT AUTHORITY\SYSTEM
Computer:        ********
Description:
Session reconnected to winstation:
        User Name:        Unknown
        Domain:                Unknown
        Logon ID:                (0x0,0x0)
        Session Name:        Console
        Client Name:        Unknown
        Client Address:        Unknown

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Posted by Anders Bengtsson on December 27, 2006, 11:04 am
Please log in for more thread options
And is it always User: NT AUTHORITY\SYSTEM that is unknown?

--

Regards
Anders Bengtsson [MCSE, MCSA, MCP] | anders AT contoso.se |
http://www.contoso.se


> Anders Bengtsson wrote:
>
>> Hi Joel
>>
>> Please look at this KB http://support.microsoft.com/kb/889187
>> If that not help please post the hole alert, with all parameters.
>>
> Hello and Thank you for the prompt response. The interesting thing is
> sometimes it works correctly and other times is does not.
>
> Below are a few sample entries
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 682
> Date: 12/21/2006
> Time: 9:27:19 AM
> User: NT AUTHORITY\SYSTEM
> Computer: ********
> Description:
> Session reconnected to winstation:
> User Name: Unknown
> Domain: Unknown
> Logon ID: (0x0,0x0)
> Session Name: RDP-Tcp#11
> Client Name: USABBWND16016
> Client Address: 130.110.199.127
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 682
> Date: 12/17/2006
> Time: 6:07:05 AM
> User: NT AUTHORITY\SYSTEM
> Computer: ********
> Description:
> Session reconnected to winstation:
> User Name: Unknown
> Domain: Unknown
> Logon ID: (0x0,0x0)
> Session Name: Console
> Client Name: Unknown
> Client Address: Unknown
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>



Posted by Roger Abell [MVP] on December 30, 2006, 3:38 am
Please log in for more thread options
> Anders Bengtsson wrote:
>
>> Hi Joel
>>
>> Please look at this KB http://support.microsoft.com/kb/889187
>> If that not help please post the hole alert, with all parameters.
>>
> Hello and Thank you for the prompt response. The interesting thing is
> sometimes it works correctly and other times is does not.
>

What "it" works or does not?
These look like TS has reconnected a disconnected session.
You mean usually you see all fields populated, but sometimes
only filled as shown?


> Below are a few sample entries
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 682
> Date: 12/21/2006
> Time: 9:27:19 AM
> User: NT AUTHORITY\SYSTEM
> Computer: ********
> Description:
> Session reconnected to winstation:
> User Name: Unknown
> Domain: Unknown
> Logon ID: (0x0,0x0)
> Session Name: RDP-Tcp#11
> Client Name: USABBWND16016
> Client Address: 130.110.199.127
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 682
> Date: 12/17/2006
> Time: 6:07:05 AM
> User: NT AUTHORITY\SYSTEM
> Computer: ********
> Description:
> Session reconnected to winstation:
> User Name: Unknown
> Domain: Unknown
> Logon ID: (0x0,0x0)
> Session Name: Console
> Client Name: Unknown
> Client Address: Unknown
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>



Similar ThreadsPosted
Possible compromise of Windows Server 2003 security risk & unknown users December 7, 2005, 11:29 am
Security Event Log February 19, 2007, 7:15 pm
Security Event ID 560 June 20, 2007, 4:07 pm
Security Event Logs June 10, 2005, 8:36 am
Security event view April 20, 2006, 1:04 pm
security event logs in DC as well ? SOS May 3, 2006, 6:06 pm
Security for Event Viewer May 19, 2008, 3:43 pm
Security Log Event has Strange Timestamp April 5, 2006, 2:20 pm
Event ID 577 Filing Security Logs July 19, 2006, 10:45 am
Critical security hotfix causes event log warnings May 3, 2007, 1:30 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap