I was pinged today by a coworker who was trying to track down password change audit entries that looked something like:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 628
Time: 2:52:32 PM
User: NT AUTHORITY\SYSTEM
User Account password set:
Target Account Name: USERID
Target Domain: DOMAIN
Target Account ID: DOMAIN\USERID
Caller User Name: DCNAME$
Caller Domain: DOMAIN
Caller Logon ID: (0×0,0x3E7)
And he was hoping I could tell him "who" was doing it based on the Caller Logon ID. I figured I would just send him a link explaining what the caller logon ID was and that in this case it wasn’t going to give him any info but I couldn’t find any good links out on the web talking about what the Caller Logon ID value even is. I saw a lot of questions around it and a lot of people completely ignoring the question so I responded to him and decided I should write a quick blog entry on how to sort this out.
The Caller Logon ID in the event log is basically a logon session ID on the local computer. This will allow you to chase down the user SID, authentication package, logon type, logon server, and when the user logged on and if you are really interested, the processes running in that logon session. This information can be extracted with some pretty simple code using
Or you could simply download logonsessions from sysinternals to do the work for you!
Running it will show you all of your logon sessions.
As to why that doesn’t help us here is that I happen to recognize the logon session ID of 0×0,0x3E7 because that, to my knowledge, has always been the first logon session (Session ID 0 if you enable viewing of Session IDs in TaskMan) which belongs to the local computer. So that just further tells you that it really is LocalSystem (NT AUTHORITY\SYSTEM) that is the ID that is making the change. Now if you want you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.
 Logon session 00000000:000003e7:
User name: WORKGROUP\JOELT17$
Auth package: NTLM
Logon type: (none)
Logon time: 1/13/2013 10:56:30 PM
Hopefully this helps folks out.