question

HwikangLee-2468 avatar image
0 Votes"
HwikangLee-2468 asked

windows force to log off whenever run process monitor

We introduced new antivirus software, and after that, some of our workers reported that IE11(Yes we still use IE11 for WAS applications..) freezes after 3~4 hours from boot.

Somehow we found out that the antivirus is the reason(when we turned off its real-time scanning, IE11 freezing magically disappeared), and we(means me and the antivirus engineer) want to make a memory dump, turn on process monitor.. then. boom! it forced windows to log off. the windows lock screen standing there, like a red signal on the road, refusing any input except pc's reset switch.

on event view, I found nothing but these two events, recorded when log off happened

Can I get any clue?


     log1 : Logon
        
       <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
     - <System>
       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
       <EventID>4624</EventID> 
       <Version>2</Version> 
       <Level>0</Level> 
       <Task>12544</Task> 
       <Opcode>0</Opcode> 
       <Keywords>0x8020000000000000</Keywords> 
       <TimeCreated SystemTime="2021-09-12T13:38:51.557999900Z" /> 
       <EventRecordID>35385608</EventRecordID> 
       <Correlation ActivityID="{D99CE03A-A7D8-0001-4FE0-9CD9D8A7D701}" /> 
       <Execution ProcessID="728" ThreadID="816" /> 
       <Channel>Security</Channel> 
       <Computer>REDACTED</Computer> 
       <Security /> 
       </System>
     - <EventData>
       <Data Name="SubjectUserSid">S-1-5-18</Data> 
       <Data Name="SubjectUserName">REDACTED</Data> 
       <Data Name="SubjectDomainName">REDACTED</Data> 
       <Data Name="SubjectLogonId">0x3e7</Data> 
       <Data Name="TargetUserSid">S-1-5-18</Data> 
       <Data Name="TargetUserName">SYSTEM</Data> 
       <Data Name="TargetDomainName">NT AUTHORITY</Data> 
       <Data Name="TargetLogonId">0x3e7</Data> 
       <Data Name="LogonType">5</Data> 
       <Data Name="LogonProcessName">Advapi</Data> 
       <Data Name="AuthenticationPackageName">Negotiate</Data> 
       <Data Name="WorkstationName">-</Data> 
       <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
       <Data Name="TransmittedServices">-</Data> 
       <Data Name="LmPackageName">-</Data> 
       <Data Name="KeyLength">0</Data> 
       <Data Name="ProcessId">0x2b8</Data> 
       <Data Name="ProcessName">C:\Windows\System32\services.exe</Data> 
       <Data Name="IpAddress">-</Data> 
       <Data Name="IpPort">-</Data> 
       <Data Name="ImpersonationLevel">%%1833</Data> 
       <Data Name="RestrictedAdminMode">-</Data> 
       <Data Name="TargetOutboundUserName">-</Data> 
       <Data Name="TargetOutboundDomainName">-</Data> 
       <Data Name="VirtualAccount">%%1843</Data> 
       <Data Name="TargetLinkedLogonId">0x0</Data> 
       <Data Name="ElevatedToken">%%1842</Data> 
       </EventData>
       </Event>
        
     log 2 : Special Logon
     - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     - <System>
       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
       <EventID>4672</EventID> 
       <Version>0</Version> 
       <Level>0</Level> 
       <Task>12548</Task> 
       <Opcode>0</Opcode> 
       <Keywords>0x8020000000000000</Keywords> 
       <TimeCreated SystemTime="2021-09-12T13:38:51.558007000Z" /> 
       <EventRecordID>35385609</EventRecordID> 
       <Correlation ActivityID="{D99CE03A-A7D8-0001-4FE0-9CD9D8A7D701}" /> 
       <Execution ProcessID="728" ThreadID="816" /> 
       <Channel>Security</Channel> 
       <Computer>REDACTED</Computer> 
       <Security /> 
       </System>
     - <EventData>
       <Data Name="SubjectUserSid">S-1-5-18</Data> 
       <Data Name="SubjectUserName">SYSTEM</Data> 
       <Data Name="SubjectDomainName">NT AUTHORITY</Data> 
       <Data Name="SubjectLogonId">0x3e7</Data> 
       <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege</Data> 
       </EventData>
       </Event>


windows-sysinternals-procmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers