Windows 10: 1 user only yet have multiple Account Names and Logon IDs in Event Log

Discus and support 1 user only yet have multiple Account Names and Logon IDs in Event Log in AntiVirus, Firewalls and System Security to solve the problem; Hello everyone. I look forward to learning more about Windows 10 and my computer. I was looking at the event log under security and I noticed I have... Discussion in 'AntiVirus, Firewalls and System Security' started by rphender38, Oct 31, 2016.

  1. RPHENDER38
    rphender38 Win User

    1 user only yet have multiple Account Names and Logon IDs in Event Log


    Hello everyone. I look forward to learning more about Windows 10 and my computer. I was looking at the event log under security and I noticed I have multiple Account Names and Logon Id - see below

    Security ID: SYSTEM
    Account Name: HENDERSON$
    Account Domain: WORKGROUP
    Logon ID: 0x3E7

    AND

    Subject:
    Security ID: HENDERSON\Rob
    Account Name: Rob
    Account Domain: HENDERSON
    Logon ID: 0x66EA9E



    Does this mean someone else is also logged onto my computer somehow?

    :)
     
    rphender38, Oct 31, 2016
    #1
  2. MAKSYMPARPALEY
    MaksymParpaley Win User

    Events duplication (in event viewer) after successful logon (in event viewer).

    Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

    For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

    The same situation for "Unlock"

    I want to show you these events in logs:

    In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

    FIRST EVENT

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 2/14/2017 1:35:30 PM

    Event ID: 4624

    Task Category: Logon

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: mpxxx.xxx.xxx.net

    Description:

    An account was successfully logged on.

    Subject:

    Security ID: SYSTEM

    Account Name: MPxxx$

    Account Domain: KIV

    Logon ID: 0x3E7

    Logon Information:

    Logon Type: 7

    Restricted Admin Mode: -

    Virtual Account: No

    Elevated Token: Yes

    Impersonation Level: Impersonation

    New Logon:

    Security ID: UNIVERSE\mpxxx

    Account Name: mpxxx

    Account Domain: UNIVERSE

    Logon ID: 0x3D5986

    Linked Logon ID: 0x3D8CF3

    Network Account Name: -

    Network Account Domain: -

    Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

    Process Information:

    Process ID: 0x2cc

    Process Name: C:\Windows\System32\lsass.exe

    Network Information:

    Workstation Name: MPxxx

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Negotiat

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    SECOND DUPLICATED EVENT:

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 2/14/2017 1:35:30 PM

    Event ID: 4624

    Task Category: Logon

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: mpxxx.xxx.xxx.net

    Description:

    An account was successfully logged on.

    Subject:

    Security ID: SYSTEM

    Account Name: MPxxx$

    Account Domain: KIV

    Logon ID: 0x3E7

    Logon Information:

    Logon Type: 7

    Restricted Admin Mode: -

    Virtual Account: No

    Elevated Token: No

    Impersonation Level: Impersonation

    New Logon:

    Security ID: UNIVERSE\mpxxx

    Account Name: mpxxx

    Account Domain: UNIVERSE

    Logon ID: 0x3D8CF3

    Linked Logon ID: 0x3D5986

    Network Account Name: -

    Network Account Domain: -

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:

    Process ID: 0x2cc

    Process Name: C:\Windows\System32\lsass.exe

    Network Information:

    Workstation Name: MPxxx

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Negotiat

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    The only difference is in "Elevated Token: and Logon GUID:" portion of output

    Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

    Thank you.
     
    MaksymParpaley, Oct 31, 2016
    #2
  3. PETERFRAGON
    PeterFragon Win User
    Remote Login and New admin account created on my machine - hacked?

    OK so a user named Lorenco was logged into my machine today when I went to login.

    This user account should not exist and was connected remotely I believe

    I captured all the event logs, what do I need to verify this was a hack or a legit login?

    Received user logon notification on session 4.

    shell\roaming\settingsync\settingprofilehandler.cpp(24)\SettingSync errors

    event log cleared the user

    The audit log was cleared.

    Subject:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Domain Name: GROD

    Logon ID: 0x46D9E82

    A user's local group membership was enumerated.

    Subject:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Account Domain: GROD

    Logon ID: 0x46D9EA0

    User:

    Security ID: GROD\Lorenco

    Account Name: Lorenco

    Account Domain: GROD

    Process Information:

    Process ID: 0x2618

    Process Name: C:\Users\Lorenco\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe

    Much more in the logs..
     
    PeterFragon, Oct 31, 2016
    #3
Thema:

1 user only yet have multiple Account Names and Logon IDs in Event Log

Loading...

  1. 1 user only yet have multiple Account Names and Logon IDs in Event Log - Similar Threads - user yet multiple

  2. WHEA Error Event Logs ID event 1

    in Windows 10 Gaming
    WHEA Error Event Logs ID event 1: My new laptop restarts randomly even after hours of use, even disabling automatic startup in the event of errors in the startup and recovery section, only bringing me a WHEA LOGGER dump file, I attach the dump file, I have already tried to formatting the PC with a new...

  3. WHEA Error Event Logs ID event 1

    in Windows 10 Software and Apps
    WHEA Error Event Logs ID event 1: My new laptop restarts randomly even after hours of use, even disabling automatic startup in the event of errors in the startup and recovery section, only bringing me a WHEA LOGGER dump file, I attach the dump file, I have already tried to formatting the PC with a new...

  4. Multiple Event ID 4624 in Event Viewer

    in Windows 10 Ask Insider
    Multiple Event ID 4624 in Event Viewer: Hi guys. Lets say I went out and left my laptop at home. When I come back I notice many "Audit Success" logs with ID 4624 in the Event Viewer during the time I was out. Is this something I should be concerned about and that someone has been trying to access my laptop? Thanks!...

  5. Is it normal for the Event Viewer Security logs to have a lot of logons?

    in Windows 10 Ask Insider
    Is it normal for the Event Viewer Security logs to have a lot of logons?: Is 7 Special logons in a row normal? submitted by /u/STOP_POLLUTING [link] [comments] https://www.reddit.com/r/Windows10/comments/hz4iun/is_it_normal_for_the_event_viewer_security_logs/

  6. Logon Event IDs Explanations

    in AntiVirus, Firewalls and System Security
    Logon Event IDs Explanations: Hi, I'm a non-dev person and would like some answers regarding Event Viewer in Windows 10. I wanted to keep tabs on if my PC was logged in during my absence. I found that Event ID 4624 shows the successful logins. But when I filter the ID, it turns out that several events...

  7. BSOD Multiple Event ID's

    in Windows 10 BSOD Crashes and Debugging
    BSOD Multiple Event ID's: No idea why it is happening, I included all necessary files to my knowledge, please help. Crashes very frequently. Please let me know if any more information is needed. https://1drv.ms/u/s!AnM0r4-pnYFNiHdq8Sdw92zGU_tX?e=hGS704...

  8. Event ID 1 warning & Event ID 2 error

    in Windows 10 Performance & Maintenance
    Event ID 1 warning & Event ID 2 error: Hello, After Fall Creators update I'm seeing 1 error and 1 warning in the Event Viewer which I'm not able to resolve. Event ID 1 The backing-file for the real-time session "DefenderApiLogger" has reached its maximum size. As a result, new events will not be logged to...

  9. Logon Screen shows 2 users but there is only 1 user

    in Windows 10 Support
    Logon Screen shows 2 users but there is only 1 user: On a friends laptop which was given to him, on the startup/logon screen he sees 2 names. His own and the previous owner. He said he deleted the user account for the previous owner and if I go to users, it only shows him as the sole user as administrator. If I use the...

  10. Event ID 1 SpeechRuntime

    in Windows 10 Support
    Event ID 1 SpeechRuntime: So I have this odd quirk the past few days. Sometimes on certain windows apps like Netflix or System settings it will hang till I close out but when I go back into them it acts normal and when I check the event log it gives me this. Audio Orchestrator Power Event: Battery...

Users found this page by searching for:

  1. remove remote admin roaming settingsync settingprofilehandler.cpp

    ,

  2. multiple logon IDs for same security id event viewer