Windows 10: 1 user only yet have multiple Account Names and Logon IDs in Event Log

Discus and support 1 user only yet have multiple Account Names and Logon IDs in Event Log in AntiVirus, Firewalls and System Security to solve the problem; Hello everyone. I look forward to learning more about Windows 10 and my computer. I was looking at the event log under security and I noticed I have... Discussion in 'AntiVirus, Firewalls and System Security' started by rphender38, Oct 31, 2016.

  1. RPHENDER38
    rphender38 Win User

    1 user only yet have multiple Account Names and Logon IDs in Event Log


    Hello everyone. I look forward to learning more about Windows 10 and my computer. I was looking at the event log under security and I noticed I have multiple Account Names and Logon Id - see below

    Security ID: SYSTEM
    Account Name: HENDERSON$
    Account Domain: WORKGROUP
    Logon ID: 0x3E7

    AND

    Subject:
    Security ID: HENDERSON\Rob
    Account Name: Rob
    Account Domain: HENDERSON
    Logon ID: 0x66EA9E



    Does this mean someone else is also logged onto my computer somehow?

    :)
     
    rphender38, Oct 31, 2016
    #1
  2. MAKSYMPARPALEY
    MaksymParpaley Win User

    Events duplication (in event viewer) after successful logon (in event viewer).

    Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

    For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

    The same situation for "Unlock"

    I want to show you these events in logs:

    In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

    FIRST EVENT

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 2/14/2017 1:35:30 PM

    Event ID: 4624

    Task Category: Logon

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: mpxxx.xxx.xxx.net

    Description:

    An account was successfully logged on.

    Subject:

    Security ID: SYSTEM

    Account Name: MPxxx$

    Account Domain: KIV

    Logon ID: 0x3E7

    Logon Information:

    Logon Type: 7

    Restricted Admin Mode: -

    Virtual Account: No

    Elevated Token: Yes

    Impersonation Level: Impersonation

    New Logon:

    Security ID: UNIVERSE\mpxxx

    Account Name: mpxxx

    Account Domain: UNIVERSE

    Logon ID: 0x3D5986

    Linked Logon ID: 0x3D8CF3

    Network Account Name: -

    Network Account Domain: -

    Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

    Process Information:

    Process ID: 0x2cc

    Process Name: C:\Windows\System32\lsass.exe

    Network Information:

    Workstation Name: MPxxx

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Negotiat

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    SECOND DUPLICATED EVENT:

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 2/14/2017 1:35:30 PM

    Event ID: 4624

    Task Category: Logon

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: mpxxx.xxx.xxx.net

    Description:

    An account was successfully logged on.

    Subject:

    Security ID: SYSTEM

    Account Name: MPxxx$

    Account Domain: KIV

    Logon ID: 0x3E7

    Logon Information:

    Logon Type: 7

    Restricted Admin Mode: -

    Virtual Account: No

    Elevated Token: No

    Impersonation Level: Impersonation

    New Logon:

    Security ID: UNIVERSE\mpxxx

    Account Name: mpxxx

    Account Domain: UNIVERSE

    Logon ID: 0x3D8CF3

    Linked Logon ID: 0x3D5986

    Network Account Name: -

    Network Account Domain: -

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:

    Process ID: 0x2cc

    Process Name: C:\Windows\System32\lsass.exe

    Network Information:

    Workstation Name: MPxxx

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Negotiat

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    The only difference is in "Elevated Token: and Logon GUID:" portion of output

    Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

    Thank you.
     
    MaksymParpaley, Oct 31, 2016
    #2
  3. PETERFRAGON
    PeterFragon Win User
    Remote Login and New admin account created on my machine - hacked?

    OK so a user named Lorenco was logged into my machine today when I went to login.

    This user account should not exist and was connected remotely I believe

    I captured all the event logs, what do I need to verify this was a hack or a legit login?

    Received user logon notification on session 4.

    shell\roaming\settingsync\settingprofilehandler.cpp(24)\SettingSync errors

    event log cleared the user

    The audit log was cleared.

    Subject:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Domain Name: GROD

    Logon ID: 0x46D9E82

    A user's local group membership was enumerated.

    Subject:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Account Domain: GROD

    Logon ID: 0x46D9EA0

    User:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Account Domain: GROD

    Process Information:

    Process ID: 0x2618

    Process Name: C:\Users\Lorenco\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe

    Much more in the logs..
     
    PeterFragon, Oct 31, 2016
    #3
Thema:

1 user only yet have multiple Account Names and Logon IDs in Event Log

Loading...

  1. 1 user only yet have multiple Account Names and Logon IDs in Event Log - Similar Threads - user yet multiple

  2. Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...

    in Windows 10 Gaming
    Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...: We have a computer that isn't allowed to be connected to the internet but we have it set up so that we can remote in to it to work on it. It is not connected to our domain at all but is still throwing this logon error despite no one trying to log in with this username. Here...

  3. Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...

    in Windows 10 Software and Apps
    Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...: We have a computer that isn't allowed to be connected to the internet but we have it set up so that we can remote in to it to work on it. It is not connected to our domain at all but is still throwing this logon error despite no one trying to log in with this username. Here...

  4. Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...

    in AntiVirus, Firewalls and System Security
    Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...: We have a computer that isn't allowed to be connected to the internet but we have it set up so that we can remote in to it to work on it. It is not connected to our domain at all but is still throwing this logon error despite no one trying to log in with this username. Here...

  5. WHEA Error Event Logs ID event 1

    in Windows 10 Gaming
    WHEA Error Event Logs ID event 1: My new laptop restarts randomly even after hours of use, even disabling automatic startup in the event of errors in the startup and recovery section, only bringing me a WHEA LOGGER dump file, I attach the dump file, I have already tried to formatting the PC with a new...

  6. WHEA Error Event Logs ID event 1

    in Windows 10 Software and Apps
    WHEA Error Event Logs ID event 1: My new laptop restarts randomly even after hours of use, even disabling automatic startup in the event of errors in the startup and recovery section, only bringing me a WHEA LOGGER dump file, I attach the dump file, I have already tried to formatting the PC with a new...

  7. Logon Event IDs Explanations

    in AntiVirus, Firewalls and System Security
    Logon Event IDs Explanations: Hi, I'm a non-dev person and would like some answers regarding Event Viewer in Windows 10. I wanted to keep tabs on if my PC was logged in during my absence. I found that Event ID 4624 shows the successful logins. But when I filter the ID, it turns out that several events...

  8. Event ID 1 warning & Event ID 2 error

    in Windows 10 Performance & Maintenance
    Event ID 1 warning & Event ID 2 error: Hello, After Fall Creators update I'm seeing 1 error and 1 warning in the Event Viewer which I'm not able to resolve. Event ID 1 The backing-file for the real-time session "DefenderApiLogger" has reached its maximum size. As a result, new events will not be logged to...

  9. Logon Screen shows 2 users but there is only 1 user

    in Windows 10 Support
    Logon Screen shows 2 users but there is only 1 user: On a friends laptop which was given to him, on the startup/logon screen he sees 2 names. His own and the previous owner. He said he deleted the user account for the previous owner and if I go to users, it only shows him as the sole user as administrator. If I use the...

  10. Event ID 1 SpeechRuntime

    in Windows 10 Support
    Event ID 1 SpeechRuntime: So I have this odd quirk the past few days. Sometimes on certain windows apps like Netflix or System settings it will hang till I close out but when I go back into them it acts normal and when I check the event log it gives me this. Audio Orchestrator Power Event: Battery...

Users found this page by searching for:

  1. remove remote admin roaming settingsync settingprofilehandler.cpp

    ,

  2. multiple logon IDs for same security id event viewer