question

TickTickTickTick-9195 avatar image
0 Votes"
TickTickTickTick-9195 asked HannahXiong-MSFT commented

Event 4624 triggered when I wasn;t at computer

Recently I was going over my event logs and found that there was an event log 4624 representing a successful logon at 11.45. The thing was, I was in school from 8 to 5, and left my laptop at home. There's also activity at 9 am, though only events with id 5379(Credential Manager credentials were read.) are found


Is it possible that the events were triggered automatically somehow? Or should I be concerned that someone in my house knows my password and is logging on to my accounts? Is there a way i can see the activity done on my computer after an event 4624, or further verify if a person has accessed my computer?

From what I can see, there are mostly events with logon type 2, 5 and 11. Impersonation levels are mostly "Impersonation". Should I specifically look for and count combinations? e.g. (x events with logon type 2, Impersonation level "Impersonation"), (y eventswith logon type 5, impersonation level "" )

Am I correct in that I should only worry about events with logon type 11, and regard the other types as automated system background stuff?

Is there a way to scan specific logon types?

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Castorix31 avatar image
0 Votes"
Castorix31 answered

Have you checked details, like Logon Type ?
(Windows Security Log Event ID 4624)



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered TickTickTickTick-9195 commented

Hello @TickTickTickTick-9195,

Thank you so much for posting here.

May I know more information or details of the event 4624? The event will record the logon type, logon account, and so on.

For more information about this event, please refer to:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Thanks and looking forward to hearing from you.

Best regards,
Hannah Xiong

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

From what I can see, there are mostly events with logon type 2, 5 and 11. Impersonation levels are mostly "Impersonation". Should I specifically look for and count combinations? e.g. (x events with logon type 2, Impersonation level "Impersonation"), (y eventswith logon type 5, impersonation level "" )

Am I correct in that I should only worry about events with logon type 11, and regard the other types as automated system background stuff?

Is there a way to scan specific logon types?

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered TickTickTickTick-9195 commented

Hello,

Thank you so much for your kindly reply.

The logon type is one side, and we should also pay attention to other information such as account name, which will indicate which account logs on to this computer. If possible, would you please check the account name information of the events? Are they the same account or different accounts?

Looking forward to hearing from you.

Best regards,
Hannah Xiong

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TickTickTickTick-9195 avatar image
0 Votes"
TickTickTickTick-9195 answered TickTickTickTick-9195 edited

@HannahXiong-MSFT

I have only 1 account (it's the administrator one made during the first start up) on this computer, not including the default Administrator account, so they should all be the same. Is there a way to "hide" accounts from common use? If you require a full transcript, I can try to export my logs.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered piaudonn edited

Hello @TickTickTickTick-9195,

Thank you so much for your kindly reply. We will need to review the event 4624 to check the account name. For example, below is the screenshot from my lab, which indicates that the account name Administrator logged on to the computer Client. And the logon Type is 10.

116575-image.png

Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever "Subject\Security ID" is not SYSTEM. As mentioned before, we could refer to this documentation for the event 4624:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Due to security consideration, it is suggested not to share any logs here. For any confidential or private information, please try to make them blurred if we want to share the screenshots here.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong



image.png (49.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HannahXiong-MSFT the full log of the event in question is as follows: 116699-log.txt
My main concern is finding out if someone is using my computer. How can I seperate events triggered by the system from user-triggered events? I=From my understanding, if event 4624 triggers with logon type5 it is routine system check, while 7 or11 is user triggered, Is this right?

Thanks for any insight


0 Votes 0 ·
log.txt (2.2 KiB)
piaudonn avatar image piaudonn TickTickTickTick-9195 ·
 An account was successfully logged on.
    
 Subject:
     Security ID:        SYSTEM
     Account Name:        LAPTOP-FN2OMT9D$
     Account Domain:        WORKGROUP
     Logon ID:        0x3E7
    
 Logon Information:
     Logon Type:        5
     Restricted Admin Mode:    -
     Virtual Account:        No
     Elevated Token:        Yes
    
 Impersonation Level:        Impersonation
    
 New Logon:
     Security ID:        SYSTEM
     Account Name:        SYSTEM
     Account Domain:        NT AUTHORITY
     Logon ID:        0x3E7
     Linked Logon ID:        0x0
     Network Account Name:    -
     Network Account Domain:    -
     Logon GUID:        {00000000-0000-0000-0000-000000000000}
    
 Process Information:
     Process ID:        0x54
     Process Name:        C:\Windows\System32\services.exe


This is not a human using your computer, it is a service running on the background as SYSTEM. It looks normal.

0 Votes 0 ·
HannahXiong-MSFT avatar image
1 Vote"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hello @TickTickTickTick-9195,

Thank you so much for your kindly reply.

This provided event is triggered by the SYSTEM account and the logon account is SYSTEM. As mentioned, it is normal, and it is hard to tell from the event that someone is using your computer.

116988-image.png

As stated, this event 4624 is typically triggered by the SYSTEM account, no matter what the logon type is. If we have any concerns, we could keep on monitoring the event 4624 for different Subject\Security ID and account name.

Since we would like to find out if someone is using our computer, it is suggested that we could take other measures, such as installing a monitor.

Thanks a lot and wish you a lovely day.

Best regards,
Hannah Xiong


image.png (42.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @TickTickTickTick-9195,

Hope you are doing well.

May I know how things are going on your end? If there is anything else we could do for you, welcome to post here.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @TickTickTickTick-9195,

I would like to know how things are going on your end. If you have any questions or concerns about the latest information I provided, please don't hesitate to let me know.

If the reply is helpful, we would greatly appreciate it if you would accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·