Windows 10: Logon Event Event ID 4648. Events only log during a successful remote desktop in to the...

We have a computer that isn't allowed to be connected to the internet but we have it set up so that we can remote in to it to work on it. It is not connected to our domain at all but is still throwing this logon error despite no one trying to log in with this username. Here is an image with the event viewer and how much it logs and how consistently: https://i.imgur.com/oRG3I5A.pngThings I have looked at - Not connected to work domain - Not a current user that is allowed locally or even exists locally - Doesn't show anywhere in the Registry - Can't find any files relating or calling for the acc

:)

 

Events duplication (in event viewer) after successful logon (in event viewer).

Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

The same situation for "Unlock"

I want to show you these events in logs:

In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

FIRST EVENT

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D5986

Linked Logon ID: 0x3D8CF3

Network Account Name: -

Network Account Domain: -

Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

SECOND DUPLICATED EVENT:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: No

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D8CF3

Linked Logon ID: 0x3D5986

Network Account Name: -

Network Account Domain: -

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

The only difference is in "Elevated Token: and Logon GUID:" portion of output

Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

Thank you.

 

Understanding about Audit Logon Event

Hi

Welcome to Microsoft community.

The Audit Logon events in the Windows Event Log are generated by the operating system to track user logon and logoff activities on a system. These events can provide valuable information about who is accessing the system and when. However, it's essential to understand that these events can also be generated by various system processes, services, and background tasks, not just by physical user logins.

Here are some common scenarios where you might see duplicate login/logout events and Kerberos Ticket requests in the Event Log, even when there's no physical user logging into the client machine:

1. Scheduled Tasks: Some scheduled tasks or background processes may require authentication and generate logon events, even when no user is interacting with the machine. These tasks could include maintenance tasks, background updates, and other system-related activities.
   
2. Service Accounts: System services, applications, or tasks running under service accounts might trigger logon events for those accounts without involving physical users. Service accounts are often used to run various services in the background.
   
3. Network Access: If the system is accessed remotely via network shares or other network resources, logon events might be generated for that remote access, even if no user is directly interacting with the machine.
   
4. Cached Credentials: In some cases, cached credentials might be used to access network resources, which can lead to logon events, even if no fresh user authentication occurs.
   
5. Kerberos Ticket Renewal: Kerberos is the authentication protocol used in Windows environments. When a user logs in, a Kerberos Ticket is generated, and it may be automatically renewed by the system without requiring the user to log in again.
   
6. Terminal Services or Remote Desktop Services: In environments with remote desktop or terminal services enabled, logon events might be triggered for remote sessions.
   

To better understand the specific cause of the duplicate logon events in your environment, it's recommended to analyze the Event Log in more detail. Check the event IDs associated with the logon and logoff activities and look for information about the type of logon (e.g., interactive, network, batch, service, etc.), the user account involved, the source of the logon (e.g., Service, Network, LogonUI, etc.), and any associated IP addresses.

Remember that logs can vary depending on the system configuration and the applications running.

Please feel free to let me know if you have any further updates, thanks.

Best regards

Derrick Qian | Microsoft Community Support Specialist

 

Logon Event IDs Explanations

Hi,

I'm a non-dev person and would like some answers regarding Event Viewer in Windows 10. I wanted to keep tabs on if my PC was logged in during my absence. I found that Event ID 4624 shows the successful logins. But when I filter the ID, it turns out that

several events are being logged and there's no way to find out which time actually a human logged in. My questions are:

1. My Event viewer for 4624 filter looks like this: https://sc.vtedev.com/hafiz/02_10_2020_0000.png . Is this normal?

2. If yes, how can I separate the actual human logins from these automated logs?

3. If no, is there a malware that's causing it?

4. Am I using wrong Event ID? If yes, can you suggest me the correct one?

I'd really appreciate any help on this. Thanks and great day!