Windows 10: Logon Event IDs Explanations

Hi,


I'm a non-dev person and would like some answers regarding Event Viewer in Windows 10. I wanted to keep tabs on if my PC was logged in during my absence. I found that Event ID 4624 shows the successful logins. But when I filter the ID, it turns out that

several events are being logged and there's no way to find out which time actually a human logged in. My questions are:


1. My Event viewer for 4624 filter looks like this: https://sc.vtedev.com/hafiz/02_10_2020_0000.png . Is this normal?


2. If yes, how can I separate the actual human logins from these automated logs?


3. If no, is there a malware that's causing it?


4. Am I using wrong Event ID? If yes, can you suggest me the correct one?


I'd really appreciate any help on this. Thanks and great day!

:)

 

Events duplication (in event viewer) after successful logon (in event viewer).

Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

The same situation for "Unlock"

I want to show you these events in logs:

In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

FIRST EVENT

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D5986

Linked Logon ID: 0x3D8CF3

Network Account Name: -

Network Account Domain: -

Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

SECOND DUPLICATED EVENT:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: No

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D8CF3

Linked Logon ID: 0x3D5986

Network Account Name: -

Network Account Domain: -

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

The only difference is in "Elevated Token: and Logon GUID:" portion of output

Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

Thank you.

 

Events 4672 & 4624 Win 10 Freezes - special LOGON ?

Hi,

Thank you for writing to Microsoft Community Forums.

1. Are you on a domain network?
   
2. May I know the make and the model number of your system?
   

The event logs you have provided seems to be the security logs that is generated when you login to your system. For more information on the event that was generated, you can check
4672(S): Special privileges assigned to new logon.

The Windows error logs will be located at Event Viewer > Windows Logs > System.

Please follow the step below and check if it works for you.

Step: Improve Windows 10 Performance.

Try some of the following suggestions to help
make your Windows 10 PC run better. The steps are listed in order, so start with the first one, see if that fixes the problem, and then continue to the next one if it doesn’t.

Note: The last step on the article contains Windows Reset, I suggest you not to perform Windows reset, as there is a change your data and applications will be wiped and also
the OS will reverted back to previous version you upgraded from.

If the issue still persists, please reply to this post with more information so that we can identify the root cause of this issue and assist you further.

Hope it helps.

Amit Sunar

Microsoft Community – Moderator

 

computer failed to boot - disk error event id 153 + 98

Hi, suggest you try Hard Disk Sentinel (trial) - gives a great quick analysis (SSDs too).

Please post the results.

Event ID 153:
This event may be an indication that the specified drive may be failing soon. This is especially true if the event is recorded regularly. The first step is to run the maintenance utilities related to hard drives, starting with CHKDSK and the utilities available from the manufacturer for that specific brand.

Event ID 98:
Event ID: 98