Tom's Hardware > Forum > Windows XP > Windows XP General Discussion > Event ID 576/538 - Guest Logon

Event ID 576/538 - Guest Logon

Forum Windows XP : Windows XP General Discussion - Event ID 576/538 - Guest Logon

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
carmen   10-28-2007 at 02:47:44 AM

Recently, I got a message when I logged onto my pc that the event viewer
logs were full.

When I took a look in the security logs in event viewer, I saw pages and
pages of Event ID 576, followed by 538 using the guest id. In terms of
timing, the 538 was always about 1 second after the 576.

What would cause these messages and if it was a hacker, was it successful or not and what would he have had access to?

At the bottom of this message are the details of the 538 and 576.

Some details of my pc:

1. My pc is running XP Pro fully patched. I don't use any Peer to Peer
file sharing programs.
2. I have run Computer Associates, Macafee and Kaspersky Anti virus. No
virus found.
3. I have run Adaware, Windows defender, and trial Trojan Hunter - No
malware found
4. Remote desktop was enabled on the pc but was hardened so that after 3
failed logon attempts, the system would lock the account out for 30 minutes.
I was also not using the default port for Remote Desktop so that it couldn't
be detected in a random port scan.
5. This pc (Computer A) was not behind a hardware firewall, but did have
Sygate firewall running. Sygate was configured to accept incoming
connections from only 1 IP address (Computer B), which was the IP address
from the pc from which I would start the remote desktop. I know this would
work because if I did try and ping Computer A from Computer B, I would get a
response. If however, I tried to ping Computer A from any other IP address,
I would get timeout messages.
6. File and print sharing was enabled, but no shares were created. Net
share from a dos prompt shows only the default shares were enabled.
7. Event viewer did not show any failed guest logons.

Here are the messages:

Event ID 576

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x1EC738B8)
Privileges: SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event ID 538

User Logoff:
User Name: Guest
Domain: WORK
Logon ID: (0x0,0x1EC7356E)
Logon Type: 3

Add a reply
Sponsored Links
Register or log in to remove.
Riser   10-29-2007 at 06:35:35 PM
- 0 +

http://www.ultimatewindowssecurity [...] aspx?ID=40

------------------------------ "Alcoholism is a disease, but it's the only one you can get yelled at for having. Goddammit Otto, you are an alcoholic. Goddammit Otto, you have Lupus... one of those two doesn't sound right." M. H.
 Reply to Riser
Ask the community Add a reply
Tom's Hardware > Forum > Windows XP > Windows XP General Discussion > Event ID 576/538 - Guest Logon
Go to:

There are 897 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.331 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?