Microsoft KB Archive/828857

= The User Logoff Event ID 538 Is Not Logged to the Security Event Log When You Shut Down Your Computer and Then Restart It =

Article ID: 828857

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-





SYMPTOMS
If you configure an audit policy to audit successful logon and logoff events, you may find that the user logoff audit event ID 538 is not logged to the security event log after you shut down your computer and then restart it.



CAUSE
This behavior occurs because during the shutdown process, the service that writes to the security event log is already stopped when the last token for the user who logs off is released. As a result, the user logoff audit event ID 538 is not logged to the security event log when you shut down your computer and then restart it. This behavior is by design.



WORKAROUND
To work around this behavior, configure an audit policy to audit successful system events. To do this, follow these steps on the local computer.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
 * 1) Click Start, and then click Control Panel.
 * 2) Double-click Administrative Tools, and then double-click Local Security Settings.
 * 3) Expand Local Policies, and then expand Audit Policy.
 * 4) In the right pane, double-click Audit system events.
 * 5) Click to select the Success check box, and then click OK.
 * 6) Restart the computer.

The following event ID is logged to the security event log: Type: Success Audit

Source: Security

Category: System

Event ID: 512

Description:

Windows is starting up.

Also, if you are running Windows Server 2003 or Windows XP, the following event is logged to the security event log: Type: Success Audit

Source: Security

Category: Logon/Logoff

Event ID: 551

Description:

User initiated logoff:

User Name:

Domain:

Logon ID:

Keywords: kbprb KB828857

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.