Hi,
I have one problem: When I logoff from console, sucurity audit doesnt output
event into eventlog.
I noticed that reference counter (PointerCount) of token object of one
winlogon thread is NOT zero “0”.
According to MSFT, logoff audit output into eventlog, when all
pointercounter of all thread in user context is zero “0”.
So I tried to debug who doesnt decrement token object of this thread of
winlogon.
But I dont know how to debug to find out who…
* Anyone know good way?
I dont know why PointerCount is remained in this user context.
Is this winlogon or lsass BUG?
Is this BUG of something program which refer to token object of winlogon
thread?
* Anyone know why this is caused?
Kimi