On a Windows Server 2012 machine, in Event Viewer, there was some unusual behaviour on a system, a service was stopping and I was unsure if it "stopped itself" or was forced to stop by a user action. So I went to Windows logs | Security area in eventvwr.msc and I see no logons of any ordinary users, but I do see a pattern repeating of the following kind:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Description: An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Logon GUID: {a7...}
LogonProcessName: Kerberos
I am assuming that this means that a service is bootstrapping into the SYSTEM context, and that the NULL SID referenced in the event log is only the initial state of some unauthenticated System or Kernel or Service code. Is my interpretation correct or is this something else?
From the logon process name, I assume this is the Microsoft Kerberos service.
Best Answer
Local SYSTEM account's are outside the security subsystem.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx