JSI Tip 7260. Logoff event ID 538 is NOT logged when you shutdown / Restart?

Jerold Schulman

September 29, 2003

1 Min Read
ITPro Today logo in a gray background | ITPro Today

If you have configured auditing of successful logon and logoff events, you find that logoff event 538 is NOT logged during a shutdown or restart.

This problem behavior is the result of the logging service being stopped before the last user token is released.

To workaround this behavior, also configure successful auditing of system events.

Based upon your operating system, the following procedure may differ:

1. Open the Local Security Settings snap-in, or Start / Run / SECPOL.MSC / OK.

2. Expand Local Policies.

3. Expand Audit Policy.

4. Double-click Audit system events in the right-hand pane.

5. Check the Success box.

6. Press Apply and OK.

7. Shutdown and restart your computer.

The Security event log will contain:

Type: Success Audit
Source: Security
Category: System
Event ID: 512
Description: Windows is starting up.

Windows Server 2003 and Windows XP will also log:

Type: Success Audit
Source: Security
Category: Logon/Logoff
Event ID: 551
Description: User initiated logoff:
User Name:
Domain:
Logon ID:



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like