the problem is that now i can not anymore login under the server
for what i see when i was logged (but in safe mode) is that
in the
event they was no error message at all ! this was supprised me,
i was hopping to see some error why all the service not
start... nothing !! just i notice that in the
event log we miss
some entry like :
MSDTC started with the following settings: ...
The Terminal Services Configuration service entered the running state.
The Server service entered the running state.
The World Wide Web Publishing Service service entered the running state.
that mean the service not start ! but no explanation why they not start, no
error !
so it's look like the process do an infinite loop somewhere between
"File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has successfully
loaded and registered with Filter Manager"
and
"The Plug and Play service entered the running state"
that delay all the other
event to happen !
network card driver error ? (but in safe mode i have the internet...)
other driver error ? but why no error in the
event log ...
below all the
event just after a reboot for the
1rt time the server :
**********************************
**********************************
**********************************
SYSTEM
**********************************
**********************************
**********************************
!!and nothing more still the next hard reboot!!
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-FilterManager 6 None
File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has successfully
loaded and registered with Filter Manager.
Information 10/2/2009 12:
23:21 AM Tcpip 4201 None The system detected that
network adapter Local Area Connection was connected to the network, and has
initiated normal operation.
Information 10/2/2009 12:
23:21 AM Tcpip 4201 None The system detected that
network adapter Local Area Connection was connected to the network, and has
initiated normal operation.
Information 10/2/2009 12:
23:21 AM l2nd 9 None Broadcom BCM5708C: Network
controller configured for 100Mb full-duplex link.
Information 10/2/2009 12:
23:21 AM Tcpip 4201 None The system detected that
network adapter Local Area Connection 2 was connected to the network, and
has initiated normal operation.
Information 10/2/2009 12:
23:21 AM Tcpip 4201 None The system detected that
network adapter Local Area Connection 2 was connected to the network, and
has initiated normal operation.
Information 10/2/2009 12:
23:21 AM l2nd 9 None Broadcom BCM5708C: Network
controller configured for 100Mb full-duplex link.
Warning 10/2/2009 12:
23:19 AM l2nd 4 None Broadcom BCM5708C: The network
link is down. Check to make sure the network cable is properly connected.
Warning 10/2/2009 12:
23:18 AM l2nd 4 None Broadcom BCM5708C: The network
link is down. Check to make sure the network cable is properly connected.
Information 10/2/2009 12:
23:18 AM l2nd 16 None Broadcom BCM5708C: Driver
initialized successfully.
Information 10/2/2009 12:
23:18 AM b06bdrv 18 None \Device\NTPNP_PCI0030:
Ndis device bound successfully.
Information 10/2/2009 12:
23:18 AM l2nd 16 None Broadcom BCM5708C: Driver
initialized successfully.
Information 10/2/2009 12:
23:18 AM b06bdrv 18 None \Device\NTPNP_PCI0032:
Ndis device bound successfully.
Information 10/2/2009 12:
23:18 AM Microsoft-Windows-Kernel-Processor-Power 4
None "Processor 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 10/2/2009 12:
23:18 AM Microsoft-Windows-Kernel-Processor-Power 4
None "Processor 3 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 10/2/2009 12:
23:18 AM Microsoft-Windows-Kernel-Processor-Power 4
None "Processor 2 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 10/2/2009 12:
23:18 AM Microsoft-Windows-Kernel-Processor-Power 4
None "Processor 1 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 10/2/2009 12:
23:16 AM Tcpip 4201 None The system detected that
network adapter Loopback Pseudo-Interface 1 was connected to the network,
and has initiated normal operation.
Information 10/2/2009 12:
23:16 AM Tcpip 4201 None The system detected that
network adapter Loopback Pseudo-Interface 1 was connected to the network,
and has initiated normal operation.
Information 10/2/2009 12:
23:16 AM b06bdrv 12 None \Device\NTPNP_PCI0030:
Driver initialized successfully.
Information 10/2/2009 12:
23:16 AM b06bdrv 12 None \Device\NTPNP_PCI0032:
Driver initialized successfully.
Information 10/2/2009 12:
23:29 AM EventLog 6013 None The system uptime is 39
seconds.
Information 10/2/2009 12:
23:29 AM EventLog 6005 None The
Event log service
was started.
Information 10/2/2009 12:
23:29 AM EventLog 6009 None Microsoft (R) Windows
(R) 6.00. 6002 Service Pack 2 Multiprocessor Free.
Information 10/2/2009 12:21:29 AM EventLog 6006 None The
Event log service
was stopped.
Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The
Group Policy Client service entered the stopped state.
Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The
Windows Update service entered the stopped state.
Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The
Windows Modules Installer service entered the running state.
Information 10/2/2009 12:21:28 AM Microsoft-Windows-DistributedCOM 10029
None "DCOM started the service TrustedInstaller with arguments """" in
order to run the server:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}"
Information 10/2/2009 12:21:28 AM USER32 1074 None "The process
C:\Windows\system32\winlogon.exe (SERVER10) has initiated the restart of
computer SERVER10 on behalf of user SERVER10\Administrator for the following
reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: restart
Comment: "
Information 10/2/2009 12:21:26 AM USER32 1074 None "The process Explorer.EXE
has initiated the restart of computer SERVER10 on behalf of user
SERVER10\Administrator for the following reason: Application: Maintenance
(Planned)
Reason Code: 0x84040001
Shutdown Type: restart
Comment: "
**********************************
**********************************
**********************************
APPLICATION
**********************************
**********************************
**********************************
!!and nothing more still the next hard reboot!!
Information 10/2/2009 12:
23:35 AM Microsoft-Windows-Security-Licensing-SLC
902 None "The Software Licensing service has started.
"
Information 10/2/2009 12:
23:34 AM Microsoft-Windows-Security-Licensing-SLC
1005 None "The result of Windows Right consumption is: hr=0x0
"
Information 10/2/2009 12:
23:34 AM Microsoft-Windows-Security-Licensing-SLC
1003 None "The Software Licensing service has completed licensing status
check.
Application
Id=55c92734-d682-4d71-983e-d6ec3f16059f
Licensing Status=
{1,[15a581b4-f839-4d26-943c-b7e72f219849, 0,
0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]}
{1,[56df4151-1f9f-41bf-acaa-2941c071872b, 8, 0xC004F014,0x0]}
{1,[603504f9-109f-49f0-9271-8c66f7878f58, 8, 0xC004F014,0x0]}
{1,[7acd9eb8-e300-444c-b38a-47cdbe065508, 8, 0xC004F014,0x0]}
{1,[ad2542d4-9154-4c6d-8a44-30f11ee96989, 8, 0xC004F014,0x0]}
{1,[bb1d27c4-959d-4f82-b0fd-c02a7be54732, 8, 0xC004F014,0x0]}
{1,[c90d1b4e-8aa8-439e-8b9e-b6d6b6a6d975, 8, 0xC004F014,0x0]}
"
Information 10/2/2009 12:
23:34 AM Microsoft-Windows-Security-Licensing-SLC
1033 None "These policies are being excluded since they are only defined
with override-only attribute.
Policy Names=(Microsoft-Windows-AuxiliaryDisplay-EnableAPI)
(Microsoft-Windows-AuxiliaryDisplay-EnableCPL)
(Microsoft-Windows-AuxiliaryDisplay-EnableCPL_w)
(Microsoft-Windows-AuxiliaryDisplay-EnableDriver)
(Microsoft-Windows-AuxiliaryDisplay-EnableDriver_w)
(Microsoft-Windows-AuxiliaryDisplay-EnableSDP)
(Microsoft-Windows-AuxiliaryDisplay-EnableSDP_w)
(Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport)
(Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport_w)
(Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport)
(Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport_w)
(Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport)
(Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport_w)
(Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport)
(Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport_w)
(Microsoft-Windows-Fax-Common-DeviceLimit)
(Microsoft-Windows-Fax-Common-EnableServerPolicy)
(PeerToPeerBase-IdManager-EnabledPolicy)
(PeerToPeerBase-IdManager-EnabledPolicy_w)
(PeerToPeerBase-Pnrp-EnabledPolicy) (PeerToPeerBase-Pnrp-EnabledPolicy_w)
(Printing-Spooler-Pmc-Licensing-Enabled)
(Printing-Spooler-Pmc-Licensing-Enabled_w) (SecureStartupFeature-Enabled)
(SecureStartupFeature-Enabled-Driver) (SecureStartupFeature-Enabled_w)
(SecureStartupFeature-PerfWarning) (TSProxy-EdgeAdapter-MaxConnections)
(Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w)
(Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w)
(nfs-admincmdtools-enabled) (nfs-adminmmc-enabled)
(nfs-clientcmdtools-enabled) (nfs-clientcore-enabled)
(nfs-servercmdtools-enabled) (nfs-servercore-enabled) (psync-Enabled)
(snis-Enabled) (snis-Enabled_w) (sua-EnableSUA)
App
Id=55c92734-d682-4d71-983e-d6ec3f16059f
Sku
Id=15a581b4-f839-4d26-943c-b7e72f219849"
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-EventSystem 4625 None
The EventSystem sub system is suppressing duplicate
event log entries for a
duration of 86400 seconds. The suppression timeout can be controlled by a
REG_DWORD value named SuppressDuplicateDuration under the following registry
key: HKLM\Software\Microsoft\EventSystem\EventLog.
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Licensing-SLC
900 None "The Software Licensing service is starting.
"
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-User Profiles Service
1531 None "The User Profile Service has started successfully.
"
Information 10/2/2009 12:21:28 AM
Microsoft-Windows-CertificateServicesClient 2 None Certificate Services
Client has been stopped.
Information 10/2/2009 12:21:27 AM
Microsoft-Windows-CertificateServicesClient 2 None Certificate Services
Client has been stopped.
Information 10/2/2009 12:21:28 AM Microsoft-Windows-MSDTC 4111 SVC The MS
DTC service is stopping.
Warning 10/2/2009 12:21:27 AM Microsoft-Windows-User Profiles Service 1530
None "Windows detected your registry file is still in use by other
applications or services. The file will be unloaded now. The applications or
services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from
\Registry\User\S-1-5-21-2358723158-3070534255-1126232614-500:
Process 296 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key
\REGISTRY\USER\S-1-5-21-2358723158-3070534255-1126232614-500\Printers\DevModePerUser
"
Information 10/2/2009 12:21:27 AM Desktop Window Manager 9009 None The
Desktop Window Manager has exited with code (0x40010004)
**********************************
**********************************
**********************************
SECURITY
**********************************
**********************************
**********************************
!!and nothing more still the next hard reboot!!
Information 10/2/2009 12:
23:44 AM Microsoft-Windows-Security-Auditing 5061
System Integrity "Cryptographic operation.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: le-a5c12300-65be-4527-930d-9f95b4932d62
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0"
Information 10/2/2009 12:
23:44 AM Microsoft-Windows-Security-Auditing 5058
Other System Events "Key file operation.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: Not Available.
Key Name:
88c4852146f789bc45b56e90f302b52c_58334793-82d1-4e55-8e35-8995a7752bb1
Key Type: Machine key.
Key File Operation Information:
File Path:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\88c4852146f789bc45b56e90f302b52c_58334793-82d1-4e55-8e35-8995a7752bb1
Operation: Read persisted key from file.
Return Code: 0x0"
Information 10/2/2009 12:
23:32 AM Microsoft-Windows-Security-Auditing 5024
Other System Events The Windows Firewall Service has started successfully.
Information 10/2/2009 12:
23:32 AM Microsoft-Windows-Security-Auditing 5033
Other System Events The Windows Firewall Driver has started successfully.
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4648
Logon "A logon was attempted using explicit credentials.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This
event is generated when a process attempts to log on an account by
explicitly specifying that accountâ?Ts credentials. This most commonly
occurs in batch-type configurations such as scheduled tasks, or when using
the RUNAS command."
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:30 AM Microsoft-Windows-Security-Auditing 4648
Logon "A logon was attempted using explicit credentials.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This
event is generated when a process attempts to log on an account by
explicitly specifying that accountâ?Ts credentials. This most commonly
occurs in batch-type configurations such as scheduled tasks, or when using
the RUNAS command."
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon
ID: 0x3e5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon
ID: 0x3e5
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon
ID: 0x3e4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon
ID: 0x3e4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:29 AM Microsoft-Windows-Security-Auditing 4648
Logon "A logon was attempted using explicit credentials.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process
ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This
event is generated when a process attempts to log on an account by
explicitly specifying that accountâ?Ts credentials. This most commonly
occurs in batch-type configurations such as scheduled tasks, or when using
the RUNAS command."
Information 10/2/2009 12:
23:28 AM Microsoft-Windows-Security-Auditing 4902
Audit Policy Change "The Per-user audit policy table was created.
Number of Elements: 0
Policy
ID: 0xcdf1"
Information 10/2/2009 12:
23:27 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-0-0
Account Name: -
Account Domain: -
Logon
ID: 0x0
Logon Type: 0
New Logon:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x1000100000004
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:
23:27 AM Microsoft-Windows-Security-Auditing 4608
Security State Change "Windows is starting up.
This
event is logged when LSASS.EXE starts and the auditing subsystem is
initialized."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634
Logoff "An account was logged off.
Subject:
Security
ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon
ID: 0x1c264
Logon Type: 3
This
event is generated when a logon session is destroyed. It may be
positively correlated with a logon
event using the Logon
ID value. Logon IDs
are only unique between reboots on the same computer."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634
Logoff "An account was logged off.
Subject:
Security
ID: S-1-5-21-2358723158-3070534255-1126232614-1001
Account Name:
www.MOUTYHNE.com
Account Domain: SERVER10
Logon
ID: 0x1c337
Logon Type: 4
This
event is generated when a logon session is destroyed. It may be
positively correlated with a logon
event using the Logon
ID value. Logon IDs
are only unique between reboots on the same computer."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634
Logoff "An account was logged off.
Subject:
Security
ID: S-1-5-17
Account Name: IUSR
Account Domain: NT AUTHORITY
Logon
ID: 0x3e3
Logon Type: 5
This
event is generated when a logon session is destroyed. It may be
positively correlated with a logon
event using the Logon
ID value. Logon IDs
are only unique between reboots on the same computer."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634
Logoff "An account was logged off.
Subject:
Security
ID: S-1-5-21-2358723158-3070534255-1126232614-500
Account Name: Administrator
Account Domain: SERVER10
Logon
ID: 0x199b2b4
Logon Type: 3
This
event is generated when a logon session is destroyed. It may be
positively correlated with a logon
event using the Logon
ID value. Logon IDs
are only unique between reboots on the same computer."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634
Logoff "An account was logged off.
Subject:
Security
ID: S-1-5-21-2358723158-3070534255-1126232614-500
Account Name: Administrator
Account Domain: SERVER10
Logon
ID: 0x199c722
Logon Type: 10
This
event is generated when a logon session is destroyed. It may be
positively correlated with a logon
event using the Logon
ID value. Logon IDs
are only unique between reboots on the same computer."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4672
Special Logon "Special privileges assigned to new logon.
Subject:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4624
Logon "An account was successfully logged on.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon Type: 5
New Logon:
Security
ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process
ID: 0x270
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This
event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was
created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC
event.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested."
Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4648
Logon "A logon was attempted using explicit credentials.
Subject:
Security
ID: S-1-5-18
Account Name: SERVER10$
Account Domain: MOUTYHNE
Logon
ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process
ID: 0x270
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This
event is generated when a process attempts to log on an account by
explicitly specifying that accountâ?Ts credentials. This most commonly
occurs in batch-type configurations such as scheduled tasks, or when using
the RUNAS command."
Information 10/2/2009 12:21:29 AM Microsoft-Windows-Eventlog 1100 Service
shutdown The
event logging service has shut down.
Information 10/2/2009 12:21:27 AM Microsoft-Windows-Security-Auditing 4647
Logoff "User initiated logoff:
Subject:
Security
ID: S-1-5-21-2358723158-3070534255-1126232614-500
Account Name: Administrator
Account Domain: SERVER10
Logon
ID: 0x199c722
This
event is generated when a logoff is initiated but the token reference
count is not zero and the logon session cannot be destroyed. No further
user-initiated activity can occur. This
event can be interpreted as a
logoff
event."
thanks for all!
stephane
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OFyilW5QKHA.4600@TK2MSFTNGP05.phx.gbl...
| Quote: |
"loki" <loki5100-newsgroup@yahoo.fr> wrote in message
news:3721A299-A5A8-466E-BFD0-5D3DA207D01A@microsoft.com...
Yes of course... nothing work also some strange bug in
IIS (i can not see the web site configuration details for
exemple)
i not understand why nothing work just after a simple
restart ! Is this is already happen to someone ?
thanks you by advance
stephane
No, that's not supposed to happen. It could be something else is causing
it. Post an ipconfig /all from the server, as well as the EventID# and
Source Names and the error messages in the events that you see from errors
in the event logs. This will better help than the descriptions you've
provided.
Ace
|
Windows-Expert.com Forum Index
•
FAQ
•
Search
