What is the event Viewer telling me?

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I just found the event viewer in the program menu under admin tools. When I
click the Security tab it lists what looks like a series of network events.
User is shown as me, system, network services, local service or guest most
of the time. Guest appears to be when another computer on my network (2
other family members) accesses my disk. Event numbers are usually 528 or
576 or 850 or 849 or 680 plus a few others.

My concern is that every few hours there is an entry of event 540 with user
Anonymous Logon ! Properties says logon type = 3 and windows help says that
is somebody on the network logging in, but this is happening when only me is
using the computer and nothing else on the network is switched on.

I have not noticed anything going on that is suspicious but this entry in
the event viewer certainly does look suspicious.

Have I been hacked or is there an innocent explanation?
7 answers Last reply
More about what event viewer telling
  1. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Please try your question on the windowsxp.network_web newsgroup.

    --
    Michael Solomon MS-MVP
    Windows Shell/User
    Backup is a PC User's Best Friend
    DTS-L.Org: http://www.dts-l.org/

    "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >I just found the event viewer in the program menu under admin tools. When
    >I click the Security tab it lists what looks like a series of network
    >events. User is shown as me, system, network services, local service or
    >guest most of the time. Guest appears to be when another computer on my
    >network (2 other family members) accesses my disk. Event numbers are
    >usually 528 or 576 or 850 or 849 or 680 plus a few others.
    >
    > My concern is that every few hours there is an entry of event 540 with
    > user Anonymous Logon ! Properties says logon type = 3 and windows help
    > says that is somebody on the network logging in, but this is happening
    > when only me is using the computer and nothing else on the network is
    > switched on.
    >
    > I have not noticed anything going on that is suspicious but this entry in
    > the event viewer certainly does look suspicious.
    >
    > Have I been hacked or is there an innocent explanation?
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Just one more thing. I have now seen that in the application tab WMDM PMSP
    Service is starting 2 seconds before every anonymous login. There is an
    article about a security hole related to Media Player & this service but I
    do have all the critical updates installed as far as I know.


    "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >I just found the event viewer in the program menu under admin tools. When
    >I click the Security tab it lists what looks like a series of network
    >events. User is shown as me, system, network services, local service or
    >guest most of the time. Guest appears to be when another computer on my
    >network (2 other family members) accesses my disk. Event numbers are
    >usually 528 or 576 or 850 or 849 or 680 plus a few others.
    >
    > My concern is that every few hours there is an entry of event 540 with
    > user Anonymous Logon ! Properties says logon type = 3 and windows help
    > says that is somebody on the network logging in, but this is happening
    > when only me is using the computer and nothing else on the network is
    > switched on.
    >
    > I have not noticed anything going on that is suspicious but this entry in
    > the event viewer certainly does look suspicious.
    >
    > Have I been hacked or is there an innocent explanation?
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Media Player does check the web periodically though usually it needs to be
    invoked to do so. Was it open when this happened?

    You might also want to check the following Knowledge Base Article:
    http://support.microsoft.com/?kbid=321677

    --
    Michael Solomon MS-MVP
    Windows Shell/User
    Backup is a PC User's Best Friend
    DTS-L.Org: http://www.dts-l.org/

    "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    news:O7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
    > Just one more thing. I have now seen that in the application tab WMDM
    > PMSP Service is starting 2 seconds before every anonymous login. There is
    > an article about a security hole related to Media Player & this service
    > but I do have all the critical updates installed as far as I know.
    >
    >
    > "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    > news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >>I just found the event viewer in the program menu under admin tools. When
    >>I click the Security tab it lists what looks like a series of network
    >>events. User is shown as me, system, network services, local service or
    >>guest most of the time. Guest appears to be when another computer on my
    >>network (2 other family members) accesses my disk. Event numbers are
    >>usually 528 or 576 or 850 or 849 or 680 plus a few others.
    >>
    >> My concern is that every few hours there is an entry of event 540 with
    >> user Anonymous Logon ! Properties says logon type = 3 and windows help
    >> says that is somebody on the network logging in, but this is happening
    >> when only me is using the computer and nothing else on the network is
    >> switched on.
    >>
    >> I have not noticed anything going on that is suspicious but this entry in
    >> the event viewer certainly does look suspicious.
    >>
    >> Have I been hacked or is there an innocent explanation?
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Its not Media Player - I got another anonymous logon 10 minutes ago when it
    was not playing. Also I just started it and invoked a request for album
    information but got no entry in the event log.

    The KB article was the one I read myself, but as far as I can tell I have
    installed the relevant update. I tried posting this to the network group as
    you suggested so maybe one of them can help but if you can suggest how I can
    find out what is invoking this I would be grateful. I am connected to the
    web 24/7 so a hacker may have an opportunity but then I have firewall in my
    router as well as McAfee & Spy Sweeper running so the lack of any other
    signs suggest it is innocent, but never the less a bit concerning.

    Lorne


    "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
    > Media Player does check the web periodically though usually it needs to be
    > invoked to do so. Was it open when this happened?
    >
    > You might also want to check the following Knowledge Base Article:
    > http://support.microsoft.com/?kbid=321677
    >
    > --
    > Michael Solomon MS-MVP
    > Windows Shell/User
    > Backup is a PC User's Best Friend
    > DTS-L.Org: http://www.dts-l.org/
    >
    > "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    > news:O7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
    >> Just one more thing. I have now seen that in the application tab WMDM
    >> PMSP Service is starting 2 seconds before every anonymous login. There
    >> is an article about a security hole related to Media Player & this
    >> service but I do have all the critical updates installed as far as I
    >> know.
    >>
    >>
    >> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >>>I just found the event viewer in the program menu under admin tools.
    >>>When I click the Security tab it lists what looks like a series of
    >>>network events. User is shown as me, system, network services, local
    >>>service or guest most of the time. Guest appears to be when another
    >>>computer on my network (2 other family members) accesses my disk. Event
    >>>numbers are usually 528 or 576 or 850 or 849 or 680 plus a few others.
    >>>
    >>> My concern is that every few hours there is an entry of event 540 with
    >>> user Anonymous Logon ! Properties says logon type = 3 and windows help
    >>> says that is somebody on the network logging in, but this is happening
    >>> when only me is using the computer and nothing else on the network is
    >>> switched on.
    >>>
    >>> I have not noticed anything going on that is suspicious but this entry
    >>> in the event viewer certainly does look suspicious.
    >>>
    >>> Have I been hacked or is there an innocent explanation?
    >>>
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    The firewall in your router won't tell you if anything is trying to phone
    home and what that application is. You need a software firewall as well.
    XP's built in firewall doesn't handle outgoing requests but there are
    several free firewalls with this capability:
    www.agnitum.com
    www.zonelabs.com
    www.sygate.com
    http://www.tinysoftware.com/home/tiny2?la=EN
    http://www.kerio.com/kerio.html

    Also check for any malware on your system, download, install and run Ad
    Aware:
    www.lavasoftusa.com.

    Also check your applications for options that automatically check for
    updates as this could be the issue as well.


    --
    Michael Solomon MS-MVP
    Windows Shell/User
    Backup is a PC User's Best Friend
    DTS-L.Org: http://www.dts-l.org/

    "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
    > Its not Media Player - I got another anonymous logon 10 minutes ago when
    > it was not playing. Also I just started it and invoked a request for
    > album information but got no entry in the event log.
    >
    > The KB article was the one I read myself, but as far as I can tell I have
    > installed the relevant update. I tried posting this to the network group
    > as you suggested so maybe one of them can help but if you can suggest how
    > I can find out what is invoking this I would be grateful. I am connected
    > to the web 24/7 so a hacker may have an opportunity but then I have
    > firewall in my router as well as McAfee & Spy Sweeper running so the lack
    > of any other signs suggest it is innocent, but never the less a bit
    > concerning.
    >
    > Lorne
    >
    >
    > "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    > message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
    >> Media Player does check the web periodically though usually it needs to
    >> be invoked to do so. Was it open when this happened?
    >>
    >> You might also want to check the following Knowledge Base Article:
    >> http://support.microsoft.com/?kbid=321677
    >>
    >> --
    >> Michael Solomon MS-MVP
    >> Windows Shell/User
    >> Backup is a PC User's Best Friend
    >> DTS-L.Org: http://www.dts-l.org/
    >>
    >> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >> news:O7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
    >>> Just one more thing. I have now seen that in the application tab WMDM
    >>> PMSP Service is starting 2 seconds before every anonymous login. There
    >>> is an article about a security hole related to Media Player & this
    >>> service but I do have all the critical updates installed as far as I
    >>> know.
    >>>
    >>>
    >>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >>>>I just found the event viewer in the program menu under admin tools.
    >>>>When I click the Security tab it lists what looks like a series of
    >>>>network events. User is shown as me, system, network services, local
    >>>>service or guest most of the time. Guest appears to be when another
    >>>>computer on my network (2 other family members) accesses my disk. Event
    >>>>numbers are usually 528 or 576 or 850 or 849 or 680 plus a few others.
    >>>>
    >>>> My concern is that every few hours there is an entry of event 540 with
    >>>> user Anonymous Logon ! Properties says logon type = 3 and windows help
    >>>> says that is somebody on the network logging in, but this is happening
    >>>> when only me is using the computer and nothing else on the network is
    >>>> switched on.
    >>>>
    >>>> I have not noticed anything going on that is suspicious but this entry
    >>>> in the event viewer certainly does look suspicious.
    >>>>
    >>>> Have I been hacked or is there an innocent explanation?
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    In case you are interested I have now traced it - it seems to be mapped
    drives on other computers on my home network.


    "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    message news:%232nxO6UlEHA.3432@TK2MSFTNGP14.phx.gbl...
    > The firewall in your router won't tell you if anything is trying to phone
    > home and what that application is. You need a software firewall as well.
    > XP's built in firewall doesn't handle outgoing requests but there are
    > several free firewalls with this capability:
    > www.agnitum.com
    > www.zonelabs.com
    > www.sygate.com
    > http://www.tinysoftware.com/home/tiny2?la=EN
    > http://www.kerio.com/kerio.html
    >
    > Also check for any malware on your system, download, install and run Ad
    > Aware:
    > www.lavasoftusa.com.
    >
    > Also check your applications for options that automatically check for
    > updates as this could be the issue as well.
    >
    >
    > --
    > Michael Solomon MS-MVP
    > Windows Shell/User
    > Backup is a PC User's Best Friend
    > DTS-L.Org: http://www.dts-l.org/
    >
    > "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    > news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
    >> Its not Media Player - I got another anonymous logon 10 minutes ago when
    >> it was not playing. Also I just started it and invoked a request for
    >> album information but got no entry in the event log.
    >>
    >> The KB article was the one I read myself, but as far as I can tell I have
    >> installed the relevant update. I tried posting this to the network group
    >> as you suggested so maybe one of them can help but if you can suggest how
    >> I can find out what is invoking this I would be grateful. I am connected
    >> to the web 24/7 so a hacker may have an opportunity but then I have
    >> firewall in my router as well as McAfee & Spy Sweeper running so the lack
    >> of any other signs suggest it is innocent, but never the less a bit
    >> concerning.
    >>
    >> Lorne
    >>
    >>
    >> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    >> message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
    >>> Media Player does check the web periodically though usually it needs to
    >>> be invoked to do so. Was it open when this happened?
    >>>
    >>> You might also want to check the following Knowledge Base Article:
    >>> http://support.microsoft.com/?kbid=321677
    >>>
    >>> --
    >>> Michael Solomon MS-MVP
    >>> Windows Shell/User
    >>> Backup is a PC User's Best Friend
    >>> DTS-L.Org: http://www.dts-l.org/
    >>>
    >>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >>> news:O7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
    >>>> Just one more thing. I have now seen that in the application tab WMDM
    >>>> PMSP Service is starting 2 seconds before every anonymous login. There
    >>>> is an article about a security hole related to Media Player & this
    >>>> service but I do have all the critical updates installed as far as I
    >>>> know.
    >>>>
    >>>>
    >>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >>>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >>>>>I just found the event viewer in the program menu under admin tools.
    >>>>>When I click the Security tab it lists what looks like a series of
    >>>>>network events. User is shown as me, system, network services, local
    >>>>>service or guest most of the time. Guest appears to be when another
    >>>>>computer on my network (2 other family members) accesses my disk.
    >>>>>Event numbers are usually 528 or 576 or 850 or 849 or 680 plus a few
    >>>>>others.
    >>>>>
    >>>>> My concern is that every few hours there is an entry of event 540 with
    >>>>> user Anonymous Logon ! Properties says logon type = 3 and windows
    >>>>> help says that is somebody on the network logging in, but this is
    >>>>> happening when only me is using the computer and nothing else on the
    >>>>> network is switched on.
    >>>>>
    >>>>> I have not noticed anything going on that is suspicious but this entry
    >>>>> in the event viewer certainly does look suspicious.
    >>>>>
    >>>>> Have I been hacked or is there an innocent explanation?
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Thanks for the information, glad you got it sorted out.

    --
    Michael Solomon MS-MVP
    Windows Shell/User
    Backup is a PC User's Best Friend
    DTS-L.Org: http://www.dts-l.org/

    "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    news:uXGgTtmlEHA.1244@TK2MSFTNGP15.phx.gbl...
    > In case you are interested I have now traced it - it seems to be mapped
    > drives on other computers on my home network.
    >
    >
    > "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    > message news:%232nxO6UlEHA.3432@TK2MSFTNGP14.phx.gbl...
    >> The firewall in your router won't tell you if anything is trying to phone
    >> home and what that application is. You need a software firewall as well.
    >> XP's built in firewall doesn't handle outgoing requests but there are
    >> several free firewalls with this capability:
    >> www.agnitum.com
    >> www.zonelabs.com
    >> www.sygate.com
    >> http://www.tinysoftware.com/home/tiny2?la=EN
    >> http://www.kerio.com/kerio.html
    >>
    >> Also check for any malware on your system, download, install and run Ad
    >> Aware:
    >> www.lavasoftusa.com.
    >>
    >> Also check your applications for options that automatically check for
    >> updates as this could be the issue as well.
    >>
    >>
    >> --
    >> Michael Solomon MS-MVP
    >> Windows Shell/User
    >> Backup is a PC User's Best Friend
    >> DTS-L.Org: http://www.dts-l.org/
    >>
    >> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >> news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
    >>> Its not Media Player - I got another anonymous logon 10 minutes ago when
    >>> it was not playing. Also I just started it and invoked a request for
    >>> album information but got no entry in the event log.
    >>>
    >>> The KB article was the one I read myself, but as far as I can tell I
    >>> have installed the relevant update. I tried posting this to the network
    >>> group as you suggested so maybe one of them can help but if you can
    >>> suggest how I can find out what is invoking this I would be grateful. I
    >>> am connected to the web 24/7 so a hacker may have an opportunity but
    >>> then I have firewall in my router as well as McAfee & Spy Sweeper
    >>> running so the lack of any other signs suggest it is innocent, but never
    >>> the less a bit concerning.
    >>>
    >>> Lorne
    >>>
    >>>
    >>> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
    >>> message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
    >>>> Media Player does check the web periodically though usually it needs to
    >>>> be invoked to do so. Was it open when this happened?
    >>>>
    >>>> You might also want to check the following Knowledge Base Article:
    >>>> http://support.microsoft.com/?kbid=321677
    >>>>
    >>>> --
    >>>> Michael Solomon MS-MVP
    >>>> Windows Shell/User
    >>>> Backup is a PC User's Best Friend
    >>>> DTS-L.Org: http://www.dts-l.org/
    >>>>
    >>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >>>> news:O7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
    >>>>> Just one more thing. I have now seen that in the application tab WMDM
    >>>>> PMSP Service is starting 2 seconds before every anonymous login.
    >>>>> There is an article about a security hole related to Media Player &
    >>>>> this service but I do have all the critical updates installed as far
    >>>>> as I know.
    >>>>>
    >>>>>
    >>>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
    >>>>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
    >>>>>>I just found the event viewer in the program menu under admin tools.
    >>>>>>When I click the Security tab it lists what looks like a series of
    >>>>>>network events. User is shown as me, system, network services, local
    >>>>>>service or guest most of the time. Guest appears to be when another
    >>>>>>computer on my network (2 other family members) accesses my disk.
    >>>>>>Event numbers are usually 528 or 576 or 850 or 849 or 680 plus a few
    >>>>>>others.
    >>>>>>
    >>>>>> My concern is that every few hours there is an entry of event 540
    >>>>>> with user Anonymous Logon ! Properties says logon type = 3 and
    >>>>>> windows help says that is somebody on the network logging in, but
    >>>>>> this is happening when only me is using the computer and nothing else
    >>>>>> on the network is switched on.
    >>>>>>
    >>>>>> I have not noticed anything going on that is suspicious but this
    >>>>>> entry in the event viewer certainly does look suspicious.
    >>>>>>
    >>>>>> Have I been hacked or is there an innocent explanation?
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Event Viewer Computers Microsoft Windows XP