Windows 10: Are UMFD and DWM Logon Sessions Destroyed on Restart, Even if Event Viewer Doesn't Say?

usually when I log off and shut down my PC, you can look back to that time in Event Viewer Security logs and see 3 specific IDs4648, 4624, and 4634, which are all related to UMFD/font drive host and DWM/Windows Manager sessions that get created on every startup. when I shut down, they get logged off, which is what the 4634 events are forhowever, I found that last night when I shut my PC down, there were no 4634 events, just the 4648 and 4624 events for UMFD and DWM. there weren't even any logoff events for my actual User accountthe new logon IDs for the current UMFD and DWM sessions are differ

:)

 

Strange activity on event viewer?

Hey! Sorry if this is a strange question, but I've been noticing some weird things on the event viewer when I check it sometimes and just want to make sure its ok.

Every time I log in or off other accounts are logged off too, called font driver host and windows manager as security IDs with logon type 2. It also says explicit credentials were used when they log on. (does this mean my password is being used?) here is
what happens when i log off.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 14/08/2017 20:05:17

Event ID: 4634

Task Category: Logoff

Level: Information

Keywords: Audit Success

User: N/A

Computer: home-PC

Description:

An account was logged off.

Subject:

Security ID: Font Driver Host\UMFD-11

Account Name: UMFD-11

Account Domain: Font Driver Host

Logon ID: 0x1F75E1F

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

<EventID>4634</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12545</Task>

<Opcode>0</Opcode>

<Keywords>0x8020000000000000</Keywords>

<TimeCreated SystemTime="2017-08-14T19:05:17.324961600Z" />

<EventRecordID>8355</EventRecordID>

<Correlation />

<Execution ProcessID="776" ThreadID="6380" />

<Channel>Security</Channel>

<Computer>home-PC</Computer>

<Security />

</System>

<EventData>

<Data Name="TargetUserSid">S-1-5-96-0-11</Data>

<Data Name="TargetUserName">UMFD-11</Data>

<Data Name="TargetDomainName">Font Driver Host</Data>

<Data Name="TargetLogonId">0x1f75e1f</Data>

<Data Name="LogonType">2</Data>

</EventData>

</Event>

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 14/08/2017 20:05:17

Event ID: 4634

Task Category: Logoff

Level: Information

Keywords: Audit Success

User: N/A

Computer: home-PC

Description:

An account was logged off.

Subject:

Security ID: Window Manager\DWM-11

Account Name: DWM-11

Account Domain: Window Manager

Logon ID: 0x1F761CE

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

<EventID>4634</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12545</Task>

<Opcode>0</Opcode>

<Keywords>0x8020000000000000</Keywords>

<TimeCreated SystemTime="2017-08-14T19:05:17.324879500Z" />

<EventRecordID>8354</EventRecordID>

<Correlation />

<Execution ProcessID="776" ThreadID="6380" />

<Channel>Security</Channel>

<Computer>home-PC</Computer>

<Security />

</System>

<EventData>

<Data Name="TargetUserSid">S-1-5-90-0-11</Data>

<Data Name="TargetUserName">DWM-11</Data>

<Data Name="TargetDomainName">Window Manager</Data>

<Data Name="TargetLogonId">0x1f761ce</Data>

<Data Name="LogonType">2</Data>

</EventData>

</Event>

Sorry if this is really dumb, but I'm just a bit concerned as this was my sisters computer and im now using it for my finances. thanks in advance for any responce.

 

Event viewer

I suggest you re-install the video driver. I'll add a few words of explanation about Event viewer in a moment. They won't affect the need to reinstall that driver as your first step. Denis

 

SPECIAL LOGON in Event Log

Hi Emeline,

Thank you for posting the query on Microsoft Community.

• When you say special logon, what are you referring to?
• What do you mean by private browser window?

Refer the link below for more information about event logs or viewer:

Event
viewer-- What is going on in your computer

Please get back to us with the required information to assist you further.