If you have configured auditing of successful logon and logoff events, you find that logoff event 538 is NOT logged during a shutdown or restart.
This problem behavior is the result of the logging service being stopped before the last user token is released.
To workaround this behavior, also configure successful auditing of system events.
Based upon your operating system, the following procedure may differ:
1. Open the Local Security Settings snap-in, or Start / Run / SECPOL.MSC / OK.
2. Expand Local Policies.
3. Expand Audit Policy.
4. Double-click Audit system events in the right-hand pane.
5. Check the Success box.
6. Press Apply and OK.
7. Shutdown and restart your computer.
The Security event log will contain:
Type: Success Audit
Source: Security
Category: System
Event ID: 512
Description: Windows is starting up.
Windows Server 2003 and Windows XP will also log:
Type: Success Audit
Source: Security
Category: Logon/Logoff
Event ID: 551
Description: User initiated logoff:
User Name: <UserName>
Domain: <DomainName>
Logon ID: <LogonID>
