Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The User Logoff Event ID 538 Is Not Logged to the Security Event Log When You Shut Down Your Computer and Then Restart It


View products that this article applies to.

Symptoms

If you configure an audit policy to audit successful logon and logoff events, you may find that the user logoff audit event ID 538 is not logged to the security event log after you shut down your computer and then restart it.

↑ Back to the top


Cause

This behavior occurs because during the shutdown process, the service that writes to the security event log is already stopped when the last token for the user who logs off is released. As a result, the user logoff audit event ID 538 is not logged to the security event log when you shut down your computer and then restart it. This behavior is by design.

↑ Back to the top


Workaround

To work around this behavior, configure an audit policy to audit successful system events. To do this, follow these steps on the local computer.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Local Security Settings.
  3. Expand Local Policies, and then expand Audit Policy.
  4. In the right pane, double-click Audit system events.
  5. Click to select the Success check box, and then click OK.
  6. Restart the computer.
The following event ID is logged to the security event log:

Type: Success Audit
Source: Security
Category: System
Event ID: 512
Description:
Windows is starting up.

Also, if you are running Windows Server 2003 or Windows XP, the following event is logged to the security event log:

Type: Success Audit
Source: Security
Category: Logon/Logoff
Event ID: 551
Description:
User initiated logoff:
User Name: UserName
Domain: Domain
Logon ID: LogonID

↑ Back to the top


Keywords: KB828857, kbprb

↑ Back to the top

Article Info
Article ID : 828857
Revision : 3
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 282