Windows Security Log Event ID 538
Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
Category | Logon/Logoff |
Type
|
Success
|
Corresponding events
in Windows
2008 and Vista |
4634
|
538: User Logoff
On this page
Ostensibly, event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. (See event 528 for a chart of logon types) However, this event is not dependably logged, for a variety of reasons. In a nutshell, there is no way to reliably track user logoff events in the Windows environment.
Note: Beginning with Windows Server 2003, logoffs of logon type 2 sessions are logged with event 551.
For network connections (such as to a file server), it will appear that users log on and off many times a day. This phenomenon is caused by the way the Server service terminates idle connections.
If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur.
Sometimes Windows simply doesn't log event 538.
Microsoft's comments:
This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.
Free Security Log Resources by Randy
- User Name:
- Domain:
- Logon ID:
- Logon Type:
Setup PowerShell Audit Log Forwarding in 4 Minutes