I was pinged today by a coworker who was trying to track down password change audit entries that looked something like:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 628
Date: 1/14/2013
Time: 2:52:32 PM
User: NT AUTHORITY\SYSTEM
Computer: DCNAME
Description:
User Account password set:
Target Account Name: USERID
Target Domain: DOMAIN
Target Account ID: DOMAIN\USERID
Caller User Name: DCNAME$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
And he was hoping I could tell him "who" was doing it based on the Caller Logon ID. I figured I would just send him a link explaining what the caller logon ID was and that in this case it wasn’t going to give him any info but I couldn’t find any good links out on the web talking about what the Caller Logon ID value even is. I saw a lot of questions around it and a lot of people completely ignoring the question so I responded to him and decided I should write a quick blog entry on how to sort this out.
The Caller Logon ID in the event log is basically a logon session ID on the local computer. This will allow you to chase down the user SID, authentication package, logon type, logon server, and when the user logged on and if you are really interested, the processes running in that logon session. This information can be extracted with some pretty simple code using
http://msdn.microsoft.com/en-us/subscriptions/aa375400(v=vs.85).aspx
and
http://msdn.microsoft.com/en-us/subscriptions/aa379437(v=vs.85).aspx
Or you could simply download logonsessions from sysinternals to do the work for you!
http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
Running it will show you all of your logon sessions.
As to why that doesn’t help us here is that I happen to recognize the logon session ID of 0x0,0x3E7 because that, to my knowledge, has always been the first logon session (Session ID 0 if you enable viewing of Session IDs in TaskMan) which belongs to the local computer. So that just further tells you that it really is LocalSystem (NT AUTHORITY\SYSTEM) that is the ID that is making the change. Now if you want you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.
For example:
[0] Logon session 00000000:000003e7:
User name: WORKGROUP\JOELT17$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 1/13/2013 10:56:30 PM
Logon server:
DNS Domain:
UPN:
296: smss.exe
480: csrss.exe
520: wininit.exe
540: csrss.exe
584: winlogon.exe
628: services.exe
644: lsass.exe
652: lsm.exe
756: svchost.exe
984: svchost.exe
1020: svchost.exe
340: stacsv64.exe
1056: svchost.exe
1308: DisplayLinkManager.exe
1540: DisplayLinkUserAgent.exe
1572: wlanext.exe
1596: conhost.exe
1648: spoolsv.exe
1852: armsvc.exe
1928: AESTSr64.exe
1960: AppleMobileDeviceService.exe
2020: mDNSResponder.exe
2040: btwdins.exe
1188: EvtEng.exe
1832: InstallFilterService.exe
1212: LMS.exe
2192: mysqld.exe
2248: o2flash.exe
2308: PMBDeviceInfoProvider.exe
2456: RegSrvc.exe
2544: SeaPort.exe
2708: sqlwriter.exe
2812: WLIDSVC.EXE
3304: WLIDSVCM.EXE
3352: unsecapp.exe
3736: WmiPrvSE.exe
4500: SearchIndexer.exe
700: iPodService.exe
4088: svchost.exe
4876: svchost.exe
5068: dllhost.exe
5432: inetinfo.exe
3384: SearchFilterHost.exe
Hopefully this helps folks out. 🙂
joe
Great info Joe.