Hosting Provided By

RE: Auditing a reboot

From: dave <dave(at)netmedic.net>
Date: Tue Apr 22 2003 - 03:07:53 EDT

Well if you do not want to infer you can:

In your Audit Policy of your Security Settings make sure you have "Audit Privilege Use" turned on for Success and Failure.

In the Security Log you will see an Event ID #578, Privilege Use for SeShutdownPrivilege, every time someone invokes it.

Now #578 Privilege Use is used for other Privilege Uses as well. So you will see them listed quite often. It is easiest to look at the System Log and see what time the "Event Service" Stopped and then look in the Security Log for #578 for the previous 2 minutes.

It lists all the info you want:

Privileged object operation:

 	Object Server:	EventLog
 	Object Handle:	0
 	Process ID:	224
 	Primary User Name:	xxxxxx
 	Primary Domain:	xxxxxx
 	Primary Logon ID:	(hex number)
 	Client User Name:	xxxxxx
 	Client Domain:	xxxxxx
 	Client Logon ID:	(hex number)
 	Privileges:	SeShutdownPrivilege

Hope this helps.

Dave Kleiman
dave@netmedic.net
www.netmedic.net

-----Original Message-----
From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net] Sent: Monday, April 21, 2003 15:25
To: Hillensbeck, Preston; focus-ms@securityfocus.com Subject: RE: Auditing a reboot

Do you need help?

Preston,

If you use success auditing for loggons and logoffs you can infer the rebooting user from the the security log.

Logan

> -----Original Message-----
> From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
> Sent: Monday, April 21, 2003 8:34 AM
> To: 'Brad Judy'; focus-ms@securityfocus.com
> Subject: RE: Auditing a reboot
>
>
> I guess I should have been more specific! What I am trying
> to audit is an event that says who or what rebooted the
> machine. I see the normal 6005 and 6009 event messages, but
> I would really like to know who initiated the reboot. Is
> this possible?

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-ms

Received on Tue Apr 22 13:34:20 2003

This message: [ Message body ]
Next message: Benjamin D. Goldman: "RE: Files in system 32 directory"
Previous message: Matthew Wagenknecht: "RE: Auditing a reboot"
In reply to: Logan F.D. Greenlee: "RE: Auditing a reboot"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:29 EDT