W2K WS Event Viewer Shutdown audit question - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 07-03-2005, 12:26 AM   #1 (permalink)
Newb Techie
 
Join Date: Jul 2005
Posts: 3
Default W2K WS Event Viewer Shutdown audit question

I am running Windows 2000 workstation and need to get an audit report generated that documents when the computer shuts down. It will tell me when it is started (Event Viewer: Security) but not when it shuts down. Windows XP Professional will report both.

Q: How do I get W2K to record and report when it shuts down? Is it a registry setting? A local policy setting?

TIA.

--Bruce
__________________

barubin is offline  
Old 07-03-2005, 12:54 AM   #2 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Maybe this will help:

http://www.sans.org/resources/auto_a...#Audit%20Setup
__________________

__________________
Osiris is offline  
Old 07-03-2005, 01:14 AM   #3 (permalink)
Newb Techie
 
Join Date: Jul 2005
Posts: 3
Default

Warez Monster,

Thanks.

It was an excellent article on the topic but I didn't notice any info on my specific problem.

Any other suggestions?

--Bruce
barubin is offline  
Old 07-05-2005, 07:03 PM   #4 (permalink)
Newb Techie
 
Join Date: Jul 2005
Posts: 3
Default

I am considering this the "solution" to my problem:

http://support.microsoft.com/default...b;en-us;196452

Article ID : 196452
Last Review : July 15, 2004
Revision : 2.1


Why Windows NT Reports 6005, 6006, 6008, and 6009 Event Log Entries

SUMMARY
Windows NT 4.0 Service Pack 4 records the system startup and shutdown times and logs them in the event log with the following Event IDs:

• Event 6005 is logged at boot time noting that the Event Log service was started. It gives the message "The Event log service was started".
• Event 6006 is logged as a clean shutdown. It gives the message "The Event log service was stopped".
• Event 6008 is logged as a dirty shutdown. It gives the message "The previous system shutdown at time on date was unexpected".
• Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system. Depending on your current configuration, it gives a message similar to: "Microsoft (R) Windows NT 4.0 1381 Service Pack 6 Multiprocessor free".
These event IDs are logged for informational purposes only.

APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows NT Server 4.0 Standard Edition
• Microsoft Windows NT Workstation 4.0 Developer Edition
• Microsoft Windows NT Server 4.0 Terminal Server
barubin is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 02:20 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.