Home | Site Map | How To | Windows Vista | Case Studies | Articles | Forums | Services | Donations | Careers | About Us | Contact Us|

Web ChicagoTech
 

 

Event ID 538

Q1: I am wondering if someone can answer a question I have about this event ID
538.

I am trying to determine what exactly this event indicates when it has an
actual user's name and is a type 3? From what I have researched type 3 could
indicate more than one type of log off, however I am trying to determine what
types of log off's it indicates with the username.

I'm running a Windows Server 2003 with Citrix terminal services running as
well.

Thanks for any help,

A1: The Event ID 538 is usually due to token leak. Based on MS, "The issue is a class of bug called a ‘Token Leak’. It is fixed for many cases (but not all) in Service Pack 4. It's not possible to fix in all cases because applications can cause this problem.". As explained above that even if you install SP4, some of the Token Leak problems that are associated with the OS will be removed but as far as the third party ap

 
Logon Failure: Account locked out
Symptoms: The server Event Viewer lists Event ID 539: Logon Failure: Reason: Account locked out User Name: <blin> Domain: <chicagotech.net> Logon Type: 3 ...
www.chicagotech.net/troubleshooting/event539.htm

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

Q2: HI Robert,

Thank you for the reply. I have found other references to this problem with
leaky access tokens.  I have been trying to determine if this entry in the
security log is an interactive log on/off event. So far I haven't found
anything definitive to describe what this event ID means when associated with
a userid. My goal is to provide evidence that this event id is not a user
logging in interactively.

Thanks

A2:

In general, ANONYMOUS LOGON is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials. If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials.


Bob Lin, MS-MVP, MCSE & CNE

Related Topics

Event ID Troubleshooting

Event ID: 2011 - Not enough server storage is available to process this ... Event ID 5701 - The Netlogon service failed to update the domain trust list ...
www.chicagotech.net/wineventid.htm

 

 

 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2007 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.