Tons of windows login events in Event viewer : unexplained command prompt that instantly clos; wondering what is causing them?

Toggle sidebar Toggle sidebar
G

Gavin_30

Prominent
Jun 5, 2017
2
0
510
I am getting loads of event 4799, 4624, 4672 4905-4905 events in my Event viewer
Something is logging on, being given special privileges, and then trying to change some security group setting, and it keeps cycling every few minutes

VSVCC>exe and services.exe both seem to be involved

https://gyazo.com/20ccdb4d06e1dd6eb0d74dc46ddb720d event viewer looks like this

I've had command prompt appear and instantly disappear twice too

Can give more details, not sure what to write

I dont *think* its malware or a virus, scans (malware bytes and avria) are both clear, and I dont have any other problems.

I'm on Windows 10, and assume its something stupid to do with Windows, but would like to know what.

What is causing this?
 
Solution
Colif
event 4799 is
Windows logs this event when a process enumerates the members of the specified local group on that computer.

In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local group Users to view its members. That triggered the event. But the same event is logged by other methods such as "net local group".

This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.
Click to expand...

event 4624 is An account was successfully logged on...
Sort by date Sort by votes
Hi - I dont think that is my problem, because I dont have any "office" under task scheduler.

I would just like to know what the continuous logging and stuff I mentioned in my OP relates to, do you have any ideas?

Thanks for your reply
 
Upvote 0 Downvote
event 4799 is
Windows logs this event when a process enumerates the members of the specified local group on that computer.

In the example below RandyFranklinSmith (an Azure AD account) used Computer Management (mmc.exe) to open the local group Users to view its members. That triggered the event. But the same event is logged by other methods such as "net local group".

This event is valuable for catching so-called APT actors who are scoping out the local accounts on a system they have compromised so that they extend their horizontal kill chain. Of course false positives are possible. Pay attention to the Subject, quantity of events and type of system where logged.
Click to expand...

event 4624 is An account was successfully logged on

and event 4905 is An attempt was made to unregister a security event source

I would look at the details of the events and see if it shows what is trying to connect. The links above at least show how to track 4624 as it should tell what type of connection it is. event 4788 appears it could be created by system processes and may not be suspicious I am not sure what 4905 is doing

Reading event logs isn't something I am good at.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom