Recently I was going over my event logs and found that there was an event log 4624 representing a successful logon at 11.45. The thing was, I was in school from 8 to 5, and left my laptop at home. There's also activity at 9 am, though only events with id 5379(Credential Manager credentials were read.) are found
Is it possible that the events were triggered automatically somehow? Or should I be concerned that someone in my house knows my password and is logging on to my accounts? Is there a way i can see the activity done on my computer after an event 4624, or further verify if a person has accessed my computer?
From what I can see, there are mostly events with logon type 2, 5 and 11. Impersonation levels are mostly "Impersonation". Should I specifically look for and count combinations? e.g. (x events with logon type 2, Impersonation level "Impersonation"), (y eventswith logon type 5, impersonation level "" )
Am I correct in that I should only worry about events with logon type 11, and regard the other types as automated system background stuff?
Is there a way to scan specific logon types?

