The User Logoff Event ID 538 Is Not Logged to the Security Event Log When You Shut Down Your Computer and Then Restart It (828857)

SYMPTOMS

If you configure an audit policy to audit successful logon and logoff events, you may find that the user logoff audit event ID 538 is not logged to the security event log after you shut down your computer and then restart it.

CAUSE

This behavior occurs because during the shutdown process, the service that writes to the security event log is already stopped when the last token for the user who logs off is released. As a result, the user logoff audit event ID 538 is not logged to the security event log when you shut down your computer and then restart it. This behavior is by design.

WORKAROUND

To work around this behavior, configure an audit policy to audit successful system events. To do this, follow these steps on the local computer.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

Click Start, and then click Control Panel.
Double-click Administrative Tools, and then double-click Local Security Settings.
Expand Local Policies, and then expand Audit Policy.
In the right pane, double-click Audit system events.
Click to select the Success check box, and then click OK.
Restart the computer.

The following event ID is logged to the security event log:Type: Success Audit
Source: Security
Category: System
Event ID: 512
Description:
Windows is starting up. Also, if you are running Windows Server 2003 or Windows XP, the following event is logged to the security event log:Type: Success Audit
Source: Security
Category: Logon/Logoff
Event ID: 551
Description:
User initiated logoff:
User Name: UserName
Domain: Domain
Logon ID: LogonID