Windows Security Log Event ID 540
Operating Systems Windows Server 2000
Windows XP
Windows Server 2003
CategoryLogon/Logoff
Type Success
Corresponding events
in Windows 2008
and Vista
4624  
Discussions on Event ID 540
2003 RDP sessions
How to link 540 events to 673/672 events
Multiple 540's on multiple DC's for single client
Interpretation of Components in 540 event
540's on local workstation & DC

540: Successful Network Logon

On this page

Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. The Logon Type will always be 3 or 8, both of which indicate a network logon.

Logon type 3 is what you normally see.  Logon Type 8 means network logon with clear text authentication.  The only scenario where we've observed logon type 8 is with logons to IIS web-sites via Basic Authentication.  Don't immediately sound the alarms if you see logon type 8 since most Basic Authentication is wrapped up inside an SSL session via https.

For all other logon types see event 528.

Event 540 gets logged whether the account used for logon is a local SAM account or a domain account. For all other types of logons this event is logged including

For an explanation of logon processes see event 515. For an explanation of authentication package see event 514.

Logon GUID is not documented. It is not clear what the caller user, caller process ID, transited services are about.

Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.

  • User Name: %1
  • Domain: %2
  • Logon ID: %3
  • Logon Type: %4
  • Logon Process: %5
  • Authentication Package: %6
  • Workstation Name: %7

The following field is not logged in Window 2000:

  • Logon GUID

The following fields are not logged in Windows 2000 or XP:

  • Caller User Name:
  • Caller Domain:
  • Caller Logon ID:
  • Caller Process ID:
  • Transited Services:
  • Source Network Address:
  • Source Port:

Top 10 Windows Security Events to Monitor

Successful Network Logon

User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7

Windows XP and Windows Server 2003 add:

Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log