Events 528/576 caused by

[sm5w2 0]

Occasionally I see a pair of entries in the event viewer security log that are attributed to "anonymous user".

 

Event 1:

 

Event ID: 528

User: NTAuthority/anonymous

Computer: (name of computer)

Source: Security

Type: Success Audit

Catagory: Logon/Logoff

Description:

Successful Logon:

User Name: (blank)

Domain (blank)

Login Id: (0x0,0x3639)

Logon Type: 3

Logon Process: KSecDD

Authentication Process:

Microsoft_Authentication_Package_V1_0

Workstation name: (blank)

 

 

Event 2:

 

Event ID:576

User: NT Authority/anonymous

Computer: (name of computer)

Source: Security

Type: Success Audit

Catagory: Privilege Use

Description:

Special privileges assigned to new logon:

User name; (blank)

Domain: (blank)

Login ID: (0x0,0x3635)

Assigned: SechangeNotifyPrivilege

 

 

They come in pairs, same date and time stamp. the item "0x36nn" seems to change a little, but it's always "0x36nn".

 

The item (blank) is really blank, empty space. The item (name of computer) is the name of the workstation.

 

There is no "anonymous" user in the user manager. System is NT4 server, SP6.

 

Should I be concerned with these items? If not, what are they?

 

Why is their no user name printed?

 

What is the Login ID?

 

 

 

[Wilhelmus 1]

Quote:

Should I be concerned with these items? If not, what are they?

No, it is normal. See this:

Quote:

[url=
http://www.derkeiler.com/Newsgroups/comp...02-02/0194.html
" title="httpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html titlehttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194htmlurlhttpwwwderkeilercomNewsgroupscomposmswindowsntadminsecurity2002020194html relnofollow targetblankhttpwwwderkeilercomNewsgroupscomp02020194html" rel="nofollow" target="_blank">http://www.derkeiler.com/Newsgroups/comp...0194.html

This is quite normal and shouldn't alarm you too much. The
'SeChangeNotifyPrivilege' is an advanced permission and bypasses traverse checking.

Quote:

Why is their no user name printed?

It is anonymous.. sorry, do not know. Perhaps it is Windows' internal activity which will not log username.