www.eventid.net is a good resource for researching events if you have an
Event ID from the viewer.

LoginID is probably referencing the SID,

Logon Type 3 is a network logon,

Logon Process KSecDD is the Kerberos Security Device Driver.

You can build a list that maps the SID's to usernames like this:

1.Dump the user list to a text file with the NET USERS command or with
Addusers.exe.
2.Modify this text file to remove unwanted information (headers, and so
forth).
3.Modify the resulting list of user names into a batch file, using the
GETSID resource kit utility to translate each user name into a SID. Redirect
the output to a text file.
4.When you encounter a SID, search the text file (created previously) for
that SID. This will place you on the line with the user's name.

Hope this helps,

Pete

-----Original Message-----
From: John Smith [mailto:for3nsicsyahoo.com.au]
Sent: Sunday, January 12, 2003 11:11 PM
To: focus-mssecurityfocus.com
Subject: Understaing Event Details in Windows NT

Hi all,

I'm curious to know what the contents of the event
details mean in MS event Viewer.

i.e. How do you deterime from a successful Logon that
the user only viewed event logs remotely and didn't
mount a share ?

Some other quesiton:
What does "LoginID: (0x0,0xDFA0E5)" mean ?

What does "Logon Type: 3" mean ?

What does "Logon Process: KSecDD" mean ?

Thanks in advance.

http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your seasons greetings online this year!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]