Archived from groups: microsoft.public.win2000.general (
More info?)
Hi,
Thanks for posting here.
From your post, my understanding of this issue is: You would like to know
whether the "crypt32LogoffEvent" event will be triggered when the system is
locked. If this is not correct, please feel free to let me know.
Based on my research, I don't think the "crypt32LogoffEvent" event is
related with locking system. For more information, you may refer to the
following information:
When AuditBaseObjects is enabled, the operating system attaches a default
System Access Control List (SACL) to the object. SACLs are used by Windows
to audit access to files, registry keys, and other objects. When
AuditBaseObjects is disabled, no SACL is attached to newly created system
objects.
When a process requests a handle to an object, the caller must provide a
set of security credentials and a bitmask representing the type of access
required. If the security identity provided by the caller doesn't have the
access rights requested in the call, then the object access fails with
Access Denied. In the failure response, however, the operating system also
returns a bit mask telling the caller what permissions it does have. The
caller can request access again -- this time with a modified access mask --
and get a handle to the object.
This pattern can be seen in the audit logs if both Success and Failure
audits are recorded for object access, and looks similar to the following
events. First, a failure audit is logged:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/26/2002
Time: 13:53:01
User: RESKIT\Administrator
Computer: SEA-FS-01
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
New Handle ID: -
Operation ID: {0,156054}
Process ID: 1320
Primary User Name: Administrator
Primary Domain: RESKIT
Primary Logon ID: (0x0,0xB4BE)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query event state
Modify event state
Privileges -
This is followed immediately by a success audit:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/26/2002
Time: 13:53:01
User: RESKIT\Administrator
Computer: SEA-FS-01
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
New Handle ID: 392
Operation ID: {0,156057}
Process ID: 1320
Primary User Name: Administrator
Primary Domain: RESKIT
Primary Logon ID: (0x0,0xB4BE)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
Privileges -
In this example, an application with the Process ID of 1320 and running in
the security context of the domain administrator attempted to access the
object \BaseNamedObjects\crypt32LogoffEvent. In the first attempt, the
process requested DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER,
SYNCHRONIZE, "Query event state", and "Modify event state" access. This
request failed because the process had insufficient permissions on this
object. Process 1320 immediately requested another
handle to the same object, but this time it requested only SYNCHRONIZE
access. This request succeeded. Note that the two events occurred within
the same second.
Audit events that match this pattern should be considered by design.
Failure audits that do not match this pattern may indicate that a running
process is attempting access system objects inappropriately. It is
impossible, however, to determine this unless both Success and Failure
object access auditing is enabled in the computer's effective audit policy.
Microsoft recommends that AuditBaseObjects be enabled only if stringent
security requirements of a particular server require this level of
auditing. This setting can be resource intensive in the amount of disk
space required to adequately store the security logs, and also add an
increased administrative burden.
Hope this helps!
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Object crypt32LogoffEvent, EventID 560
>thread-index: AcWnNEPtEzle7aExQ2+mEQgm7oKTYQ==
>X-WBNR-Posting-Host: 208.13.158.25
>From: "=?Utf-8?B?U1BkYWRkeQ==?=" <MCSE2bee@noemail.postalias>
>Subject: Object crypt32LogoffEvent, EventID 560
>Date: Mon, 22 Aug 2005 09:12:16 -0700
>Lines: 7
>Message-ID: <28EBBA6D-E323-4CAD-A532-E85A74140B41@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.win2000.general
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.general:61671
>X-Tomcat-NG: microsoft.public.win2000.general
>
>Is this "crypt32LogoffEvent" event triggered by a password protected
>screensaver on an Active Directory deployed PC or a "Ctl-Alt-Del" key
>sequence to lock the machine.
>
>I'm trying to figure out if the PC locked itself or if someone locked it
>when the user walked away leaving the machine unlocked.
>
>
Facebook
Twitter
Instagram