joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Decoding the Caller Logon ID value in event logs

by @ 7:16 pm on 1/14/2013. Filed under tech

I was pinged today by a coworker who was trying to track down password change audit entries that looked something like:

Event Type:        Success Audit
Event Source:    Security
Event Category:                Account Management
Event ID:              628
Date:                     1/14/2013
Time:                     2:52:32 PM
User:                     NT AUTHORITY\SYSTEM
Computer:         DCNAME
Description:
User Account password set:
               Target Account Name:   USERID
               Target Domain: DOMAIN
               Target Account ID:           DOMAIN\USERID
               Caller User Name:           DCNAME$
               Caller Domain:   DOMAIN
               Caller Logon ID:                (0x0,0x3E7)

 

And he was hoping I could tell him "who" was doing it based on the Caller Logon ID. I figured I would just send him a link explaining what the caller logon ID was and that in this case it wasn’t going to give him any info but I couldn’t find any good links out on the web talking about what the Caller Logon ID value even is. I saw a lot of questions around it and a lot of people completely ignoring the question so I responded to him and decided I should write a quick blog entry on how to sort this out.

The Caller Logon ID in the event log is basically a logon session ID on the local computer. This will allow you to chase down the user SID, authentication package, logon type, logon server, and when the user logged on and if you are really interested, the processes running in that logon session.  This information can be extracted with some pretty simple code using

http://msdn.microsoft.com/en-us/subscriptions/aa375400(v=vs.85).aspx

and

http://msdn.microsoft.com/en-us/subscriptions/aa379437(v=vs.85).aspx

Or you could simply download logonsessions from sysinternals to do the work for you!

http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx

Running it will show you all of your logon sessions.

As to why that doesn’t help us here is that I happen to recognize the logon session ID of 0x0,0x3E7 because that, to my knowledge, has always been the first logon session (Session ID 0 if you enable viewing of Session IDs in TaskMan) which belongs to the local computer. So that just further tells you that it really is LocalSystem (NT AUTHORITY\SYSTEM) that is the ID that is making the change. Now if you want you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.

For example:

[0] Logon session 00000000:000003e7:
    User name:    WORKGROUP\JOELT17$
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          S-1-5-18
    Logon time:   1/13/2013 10:56:30 PM
    Logon server:
    DNS Domain:
    UPN:
      296: smss.exe
      480: csrss.exe
      520: wininit.exe
      540: csrss.exe
      584: winlogon.exe
      628: services.exe
      644: lsass.exe
      652: lsm.exe
      756: svchost.exe
      984: svchost.exe
     1020: svchost.exe
      340: stacsv64.exe
     1056: svchost.exe
     1308: DisplayLinkManager.exe
     1540: DisplayLinkUserAgent.exe
     1572: wlanext.exe
     1596: conhost.exe
     1648: spoolsv.exe
     1852: armsvc.exe
     1928: AESTSr64.exe
     1960: AppleMobileDeviceService.exe
     2020: mDNSResponder.exe
     2040: btwdins.exe
     1188: EvtEng.exe
     1832: InstallFilterService.exe
     1212: LMS.exe
     2192: mysqld.exe
     2248: o2flash.exe
     2308: PMBDeviceInfoProvider.exe
     2456: RegSrvc.exe
     2544: SeaPort.exe
     2708: sqlwriter.exe
     2812: WLIDSVC.EXE
     3304: WLIDSVCM.EXE
     3352: unsecapp.exe
     3736: WmiPrvSE.exe
     4500: SearchIndexer.exe
      700: iPodService.exe
     4088: svchost.exe
     4876: svchost.exe
     5068: dllhost.exe
     5432: inetinfo.exe
     3384: SearchFilterHost.exe

Hopefully this helps folks out. :)

 

   joe

Rating 3.00 out of 5

One Response to “Decoding the Caller Logon ID value in event logs”

  1. Thiago says:

    Great info Joe.

[joeware – never stop exploring… :) is proudly powered by WordPress.]