Logon/Logoff Events Logged Out of Order in Security Log
PSS ID Number: 146880
Article Last Modified on 12/16/2003
The information in this article applies to:
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
This article was previously published under Q146880
SYMPTOMS
When Logon/Logoff auditing is enabled and Net DDE is set to run on system
startup, Logoff event 538 is incorrectly logged. Event 538 should be logged
by the system in the Security event log upon the successful logoff from the
desktop by a user. In this scenario, event 538 is logged within 5 to 10
seconds after the next user logs on and the audit for the new logon (event
528) appears.
CAUSE
During logoff, Windows NT should change the owner on all user-mode
processes to the System's logon ID. This is incorrectly handled for Net DDE
(NDDEAGNT.EXE). The resulting problem is that since at least one process is
still running in the last logged-on user's context, the logoff event is not
audited.
The logon/logoff events can be paired by looking at the Logon ID field in
the Event detail for Security events 528 and 538.
STATUS
Microsoft has confirmed this to be a problem in Windows NT version 3.5 and
3.51. This problem was corrected in the latest Windows NT 3.51 U.S. Service
Pack. For information on obtaining the Service Pack, query on the
following word in the Microsoft Knowledge Base (without the spaces):
Additional query words: netdde security audit
Keywords: kbnetwork KB146880
Technology: kbWinNT350search kbWinNT351search kbWinNTS350 kbWinNTS350search kbWinNTS351 kbWinNTS351search kbWinNTsearch kbWinNTSsearch kbWinNTW350 kbWinNTW350search kbWinNTW351 kbWinNTW351search kbWinNTWsearch