Why does the system or a hacker across the street logon to Windows 10 after I am logged on?

Toggle sidebar Toggle sidebar
A

aquielisunari

Judicious
Mar 31, 2011
6,499
14
33,015
logon.png
I initially logged on at 4 or 5am
 
Solution
Colif
Login type 5: Service logon—This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.

Process ID: 0x304 - possibly related to MS mouse/keyboard as I can only find it once on google.

You are looking at log entries of the LocalSystem Account, which is designed to do exactly the types of things you are indicating. This is completely normal and only sounds suspicious due to the various special abilities it must have to impersonate a user, since that's how it gains the privileges necessary to perform certain update or other system tasks...
Click to expand...
Sort by date Sort by votes
Are there any more details regarding event?

This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.

So, this is a useful right to detecting any "super user" account logons. Of course this right is logged for any server or applications accounts logging on as a batch job (scheduled task) or system service. See Logon Type: on event ID 4624. You can correlate 4672 to 4624 by Logon ID:.

Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows.

Admin-equivalent rights are powerful authorities that allow you to circumvent other security controls in Windows. Most admin equivalent privileges are intended for services and applications that interact closely with the operating system. With just a few exceptions, most admin equivalent privileges neither need nor should be granted to human user accounts.
Click to expand...

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672

the system has users, TrustedInstaller is a built in user, as is system. So this could just be a system lvl event, not an external one.

note: why are you looking in event viewer? A perfectly working PC will have errors in here, it is fairly normal. I try not to look in event viewer as it worries me when i see them there, but unless PC is actually playing up, its best to ignore event viewer.
 
Upvote 0 Downvote
That is normal behavior of Windows. Is the SYSTEM account "not a hacker across the street"
You will see the event id 4672 close to the event id 4624. Event id 4672 lets you know whenever an account assigned any "administrator equivalent" rights logs on your computer.
 
Upvote 0 Downvote


Why am I looking in there? Everything((Search utility) shows, everything and I happened to see an event so I was curious then obviously slightly concerned.

Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

AND

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: DESKTOP-EOLBKCP$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

is more information
 
Upvote 0 Downvote
Login type 5: Service logon—This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.

Process ID: 0x304 - possibly related to MS mouse/keyboard as I can only find it once on google.

You are looking at log entries of the LocalSystem Account, which is designed to do exactly the types of things you are indicating. This is completely normal and only sounds suspicious due to the various special abilities it must have to impersonate a user, since that's how it gains the privileges necessary to perform certain update or other system tasks.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

These are being logged because the Audit Sensitive Privilege Use security policy is enabled.

https://technet.microsoft.com/en-us/library/dd772724(v=ws.10).aspx

My recommendation is to stay out of the event viewer unless you wish to spend hundreds of hours researching these entries on the Microsoft websites, since many of them sound strange and most are normal and in truth have little meaning in day-to-day use.

Note that I'm not stating you can't spend time doing this, only that for most it is an utter waste of time, since it provides no real value in improving your daily use of your PC.
Click to expand...

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning-protectwindows8_1/nt-authority-hackr-logon-id-0x3e7-0x3e5/ebd3a18e-71da-4c30-99c7-ecaa3fbde2a7

Advapi is the logon process IIS uses for handling Web logons.
 
Upvote 0 Downvote
Solution


:) K, thanks again.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom