Discussion:
Unknown Security Event
(too old to reply)
Joel G. Brown
2006-12-27 14:08:08 UTC
Permalink
Hello Everyone,
We are getting some security events that almost all the of
properities are getting logged as unknown. Can someone explain the
cases when this can happen or how to research such events? Below is an
example of the event:

Session reconnected to winstation:
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)

The Event ID is a 682

Thank you,
Joel G. Brown
Anders Bengtsson
2006-12-27 14:43:52 UTC
Permalink
Hi Joel

Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.
--
Regards
Anders Bengtsson [MCSE, MCSA, MCP] | anders AT contoso.se |
http://www.contoso.se
Post by Joel G. Brown
Hello Everyone,
We are getting some security events that almost all the of properities
are getting logged as unknown. Can someone explain the cases when this
can happen or how to research such events? Below is an example of the
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
The Event ID is a 682
Thank you,
Joel G. Brown
Joel G. Brown
2006-12-27 15:09:08 UTC
Permalink
Post by Anders Bengtsson
Hi Joel
Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.
Hello and Thank you for the prompt response. The interesting thing is
sometimes it works correctly and other times is does not.

Below are a few sample entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/21/2006
Time: 9:27:19 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
Description:
Session reconnected to winstation:
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: RDP-Tcp#11
Client Name: USABBWND16016
Client Address: 130.110.199.127

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/17/2006
Time: 6:07:05 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
Description:
Session reconnected to winstation:
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: Console
Client Name: Unknown
Client Address: Unknown

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Anders Bengtsson
2006-12-27 16:04:41 UTC
Permalink
And is it always User: NT AUTHORITY\SYSTEM that is unknown?
--
Regards
Anders Bengtsson [MCSE, MCSA, MCP] | anders AT contoso.se |
http://www.contoso.se
Post by Joel G. Brown
Post by Anders Bengtsson
Hi Joel
Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.
Hello and Thank you for the prompt response. The interesting thing is
sometimes it works correctly and other times is does not.
Below are a few sample entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/21/2006
Time: 9:27:19 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: RDP-Tcp#11
Client Name: USABBWND16016
Client Address: 130.110.199.127
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/17/2006
Time: 6:07:05 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: Console
Client Name: Unknown
Client Address: Unknown
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Roger Abell [MVP]
2006-12-30 08:38:48 UTC
Permalink
Post by Joel G. Brown
Post by Anders Bengtsson
Hi Joel
Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.
Hello and Thank you for the prompt response. The interesting thing is
sometimes it works correctly and other times is does not.
What "it" works or does not?
These look like TS has reconnected a disconnected session.
You mean usually you see all fields populated, but sometimes
only filled as shown?
Post by Joel G. Brown
Below are a few sample entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/21/2006
Time: 9:27:19 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: RDP-Tcp#11
Client Name: USABBWND16016
Client Address: 130.110.199.127
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 682
Date: 12/17/2006
Time: 6:07:05 AM
User: NT AUTHORITY\SYSTEM
Computer: ********
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
Session Name: Console
Client Name: Unknown
Client Address: Unknown
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Roger Abell [MVP]
2006-12-30 08:29:25 UTC
Permalink
Did you make mistake in the KB number ??

Roger
Post by Anders Bengtsson
Hi Joel
Please look at this KB http://support.microsoft.com/kb/889187
If that not help please post the hole alert, with all parameters.
--
Regards
Anders Bengtsson [MCSE, MCSA, MCP] | anders AT contoso.se |
http://www.contoso.se
Post by Joel G. Brown
Hello Everyone,
We are getting some security events that almost all the of properities
are getting logged as unknown. Can someone explain the cases when this
can happen or how to research such events? Below is an example of the
User Name: Unknown
Domain: Unknown
Logon ID: (0x0,0x0)
The Event ID is a 682
Thank you,
Joel G. Brown
Loading...