Help with Event Viewer timetamp for login/logout?

[Guest Scott Ehrlich]

I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server

acting as a Samba NT 4 PDC.

 

A review on the Windows machine's event viewer revealed a user's account

that only had a logout entry and a very unusual hour. Just before that

entry, someone else had logged in and logged out, but several hours

beforehand.

 

I keep very tight controls on the systems, and I'm the only one with

Admin/root rights.

 

What might be the cause of that unusual entry?

 

Thanks for any insights.

 

Scott

[Guest Dave Patrick]

Re: Help with Event Viewer timetamp for login/logout?

 

Take a look at all automatic scheduled processes.

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"Scott Ehrlich" wrote:

>

> I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server

> acting as a Samba NT 4 PDC.

>

> A review on the Windows machine's event viewer revealed a user's account

> that only had a logout entry and a very unusual hour. Just before that

> entry, someone else had logged in and logged out, but several hours

> beforehand.

>

> I keep very tight controls on the systems, and I'm the only one with

> Admin/root rights.

>

> What might be the cause of that unusual entry?

>

> Thanks for any insights.

>

> Scott

[Guest Scott Ehrlich]

Re: Help with Event Viewer timetamp for login/logout?

 

 

Are there any knowledgebase articles that refer to possibly delayed event

log write action - such as a person logging out of a machine, that

information being cached but never written to disk until another action

forces the cache flush, and when the cache is flushed, then the event is

noted - a delayed action making it seem the event took place later than it

did?

 

In article <701CC355-462C-424E-A2C8-058B632EC632@microsoft.com>,

Dave Patrick <DSPatrick@nospam.gmail.com> wrote:

>Take a look at all automatic scheduled processes.

>

>--

>

>Regards,

>

>Dave Patrick ....Please no email replies - reply in newsgroup.

>Microsoft Certified Professional

>Microsoft MVP [Windows]

>http://www.microsoft.com/protect

>

>"Scott Ehrlich" wrote:

>>

>> I have a Windows XP w/SP2 machine on an isolated LAN, with a Linux server

>> acting as a Samba NT 4 PDC.

>>

>> A review on the Windows machine's event viewer revealed a user's account

>> that only had a logout entry and a very unusual hour. Just before that

>> entry, someone else had logged in and logged out, but several hours

>> beforehand.

>>

>> I keep very tight controls on the systems, and I'm the only one with

>> Admin/root rights.

>>

>> What might be the cause of that unusual entry?

>>

>> Thanks for any insights.

>>

>> Scott

>

[Guest Dave Patrick]

Re: Help with Event Viewer timetamp for login/logout?

 

None that I'm aware of. I don't think it would work that way. Some service

or task may be configured to use that account. Try changing the password to

see what breaks.

 

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"Scott Ehrlich" wrote:

>

> Are there any knowledgebase articles that refer to possibly delayed event

> log write action - such as a person logging out of a machine, that

> information being cached but never written to disk until another action

> forces the cache flush, and when the cache is flushed, then the event is

> noted - a delayed action making it seem the event took place later than it

> did?