Windows 10: Event Viewer - Logon Category - Not Reflecting Admin account

I am working on a system image, and notice that the event viewer for logon category does not reflect the proper account information see attached image . I would like to know why this is occurring and what GPOs and or Registry values may be affecting this or not set properly.

:)

 

Events duplication (in event viewer) after successful logon (in event viewer).

Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

The same situation for "Unlock"

I want to show you these events in logs:

In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

FIRST EVENT

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D5986

Linked Logon ID: 0x3D8CF3

Network Account Name: -

Network Account Domain: -

Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

SECOND DUPLICATED EVENT:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: No

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D8CF3

Linked Logon ID: 0x3D5986

Network Account Name: -

Network Account Domain: -

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

The only difference is in "Elevated Token: and Logon GUID:" portion of output

Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

Thank you.

 

I want to lookover the logon history of workstation including logon and logout times for all user accounts as the event viewer was lock by server administrator

- logon history of workstation including logon and logout times for all user accounts

- the event viewer was lock by server administrator

-control panel was lock by administor

 

SPECIAL LOGON in Event Log

Hi Emeline,

Thank you for posting the query on Microsoft Community.

• When you say special logon, what are you referring to?
• What do you mean by private browser window?

Refer the link below for more information about event logs or viewer:

Event
viewer-- What is going on in your computer

Please get back to us with the required information to assist you further.