Windows Security Log Events by ID: Event ID 540

Windows Security Log Events by ID

look up more events by Event ID or Category

Event ID

540

Title

Successful Network Logon

Type:

Example:

Randy's Comments:

Success

OS:

Windows 2000
XP
Windows 2003

Category:

Logon/Logoff

Successful Network Logon
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7

Windows XP and Windows Server 2003 add:

Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}

Windows Server 2003 adds these fields:

Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165

Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. Logon Type will always be 3 which indicates a network logon. For all other logon types see event 528 .

Event 540 gets logged whether the account used for logon is a local SAM account or a domain account. For all other types of logons this event is logged including

For an explanation of logon processes see event 515. For an explanation of authentication package see event 514.

Logon GUID is not documented. It is not clear what the caller user, caller process ID, transited services are about.

Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.

Windows Security Log Events by ID

540

Successful Network Logon

Upcoming Webinars by Randy Franklin Smith

Additional Links