Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Keywords Date and Time Source Event ID Task Category
- Audit Success 5/2/2017 7:57:25 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2328
- Process Name: C:\Windows\System32\mmc.exe"
- Audit Success 5/2/2017 7:57:22 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15f4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:57:08 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2328
- Process Name: C:\Windows\System32\mmc.exe"
- Audit Success 5/2/2017 7:56:57 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15f4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:56:51 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2328
- Process Name: C:\Windows\System32\mmc.exe"
- Audit Success 5/2/2017 7:56:36 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2328
- Process Name: C:\Windows\System32\mmc.exe"
- Audit Success 5/2/2017 7:56:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2328
- Process Name: C:\Windows\System32\mmc.exe"
- Audit Success 5/2/2017 7:55:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:55:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:55:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:55:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15f4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:53:08 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2414
- Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
- Audit Success 5/2/2017 7:52:40 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:40 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Additional Information:
- Operation: Export of persistent cryptographic key.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Cryptographic Operation:
- Operation: Open Key.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: UNKNOWN
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Key File Operation Information:
- File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\3ad54d8cdb73d107e26bb0926fb878e5_e373e90a-b40d-45c4-ac61-69a179d88b1d
- Operation: Read persisted key from file.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:25 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x1cb0
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 7:52:23 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:23 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Additional Information:
- Operation: Export of persistent cryptographic key.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Cryptographic Operation:
- Operation: Open Key.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: UNKNOWN
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Key File Operation Information:
- File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e373e90a-b40d-45c4-ac61-69a179d88b1d
- Operation: Read persisted key from file.
- Return Code: 0x0"
- Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15f4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:52:18 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15f4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:52:18 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x5bc
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- Privileges: SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E3A
- Linked Logon ID: 0x44E03
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x678
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Workstation Name: DESKTOP-TM5QNT2
- Source Network Address: 127.0.0.1
- Source Port: 0
- Detailed Authentication Information:
- Logon Process: User32
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44E03
- Linked Logon ID: 0x44E3A
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x678
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Workstation Name: DESKTOP-TM5QNT2
- Source Network Address: 127.0.0.1
- Source Port: 0
- Detailed Authentication Information:
- Logon Process: User32
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x678
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Network Address: 127.0.0.1
- Port: 0
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x1084
- Process Name: C:\Windows\System32\SearchIndexer.exe"
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x464
- Process Name: C:\Windows\System32\LogonUI.exe"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0xb24
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Logon Information:
- Logon Type: 3
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: ANONYMOUS LOGON
- Account Name: ANONYMOUS LOGON
- Account Domain: NT AUTHORITY
- Logon ID: 0x26208
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x0
- Process Name: -
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: NtLmSsp
- Authentication Package: NTLM
- Transited Services: -
- Package Name (NTLM only): NTLM V1
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0xc28
- Process Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: NETWORK SERVICE
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E4
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x87c
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x113C4
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x11389
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x113C4
- Linked Logon ID: 0x11389
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x220
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x11389
- Linked Logon ID: 0x113C4
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x220
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x220
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Font Driver Host\UMFD-1
- Account Name: UMFD-1
- Account Domain: Font Driver Host
- Logon ID: 0x102E5
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x220
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: UMFD-1
- Account Domain: Font Driver Host
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x220
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: NETWORK SERVICE
- Account Name: NETWORK SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E4
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: NETWORK SERVICE
- Account Name: NETWORK SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E4
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Font Driver Host\UMFD-0
- Account Name: UMFD-0
- Account Domain: Font Driver Host
- Logon ID: 0xAE98
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2ac
- Process Name: C:\Windows\System32\wininit.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: UMFD-0
- Account Domain: Font Driver Host
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x2ac
- Process Name: C:\Windows\System32\wininit.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2fc
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
- Number of Elements: 0
- Policy ID: 0xAD31"
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Logon Information:
- Logon Type: 0
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: -
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x4
- Process Name:
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: -
- Authentication Package: -
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
- This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x304
- New Process Name: C:\Windows\System32\lsass.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x2ac
- Creator Process Name: C:\Windows\System32\wininit.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2fc
- New Process Name: C:\Windows\System32\services.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x2ac
- Creator Process Name: C:\Windows\System32\wininit.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2b4
- New Process Name: C:\Windows\System32\csrss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x2a4
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2ac
- New Process Name: C:\Windows\System32\wininit.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x238
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2a4
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:09 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x244
- New Process Name: C:\Windows\System32\csrss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x238
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:09 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x238
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x1d4
- New Process Name: C:\Windows\System32\autochk.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x1c8
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x4
- Creator Process Name:
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4826 Other Policy Change Events "Boot Configuration Data loaded.
- Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- General Settings:
- Load Options: -
- Advanced Options: No
- Configuration Access Policy: Default
- System Event Logging: No
- Kernel Debugging: No
- VSM Launch Type: Off
- Signature Settings:
- Test Signing: No
- Flight Signing: No
- Disable Integrity Checks: No
- HyperVisor Settings:
- HyperVisor Load Options: -
- HyperVisor Launch Type: Off
- HyperVisor Debugging: No"
- Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Eventlog 1101 Event processing Audit events have been dropped by the transport. 0
- Audit Success 5/2/2017 7:49:14 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:49:14 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:38:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:38:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:25:15 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x11a0
- Process Name: C:\Program Files\WinRAR\WinRAR.exe"
- Audit Success 5/2/2017 7:24:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:24:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:16:56 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:16:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:16:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:15:24 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x1d30
- Process Name: C:\Program Files\WinRAR\WinRAR.exe"
- Audit Success 5/2/2017 7:15:21 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:15:21 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:15:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:15:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 7:15:13 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:15:13 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 7:05:41 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 7:05:41 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:51:05 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:51:05 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:26:40 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:26:40 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:22:46 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:22:46 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:19:06 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 6:17:29 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 6:17:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:17:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:15:21 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:15:21 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:15:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:15:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:15:09 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x27e4
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x27e4
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x27e4
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x27e4
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:15:00 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:15:00 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:14:59 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:14:59 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:08:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 6:08:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 6:00:38 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 5:18:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 5:18:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:52:38 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:52:38 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x39f0
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x39f0
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x39f0
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x39f0
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Process Information:
- Process ID: 0x3674
- Name: C:\Windows\System32\svchost.exe
- Previous Time: 2017-05-02T23:49:16.477967100Z
- New Time: 2017-05-02T23:49:16.477000000Z
- This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
- Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Process Information:
- Process ID: 0x3674
- Name: C:\Windows\System32\svchost.exe
- Previous Time: 2017-05-02T23:49:16.479116700Z
- New Time: 2017-05-02T23:49:16.478000000Z
- This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
- Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Process Information:
- Process ID: 0x3674
- Name: C:\Windows\System32\svchost.exe
- Previous Time: 2017-05-02T23:49:14.390205300Z
- New Time: 2017-05-02T23:49:16.478785800Z
- This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
- Audit Success 5/2/2017 4:49:07 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:49:07 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:59 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:59 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x222c
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x222c
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x222c
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x222c
- Process Name: C:\Windows\System32\VSSVC.exe"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:44:37 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 4:43:09 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:43:09 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:43:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:43:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:42:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:42:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:40:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:40:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 4:40:53 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x2da0
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 4:40:50 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:40:50 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:57 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x2454
- Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
- Audit Success 5/2/2017 4:39:38 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:39:38 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:37 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:39:37 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- Additional Information:
- Caller Workstation: DESKTOP-TM5QNT2
- Target Account Name: Guest
- Target Account Domain: DESKTOP-TM5QNT2"
- Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- Additional Information:
- Caller Workstation: DESKTOP-TM5QNT2
- Target Account Name: DefaultAccount
- Target Account Domain: DESKTOP-TM5QNT2"
- Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- Additional Information:
- Caller Workstation: DESKTOP-TM5QNT2
- Target Account Name: Administrator
- Target Account Domain: DESKTOP-TM5QNT2"
- Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Additional Information:
- Operation: Export of persistent cryptographic key.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Cryptographic Operation:
- Operation: Open Key.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: UNKNOWN
- Key Name: b9f2517f4754014d
- Key Type: User key.
- Key File Operation Information:
- File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\3ad54d8cdb73d107e26bb0926fb878e5_e373e90a-b40d-45c4-ac61-69a179d88b1d
- Operation: Read persisted key from file.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:39:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Additional Information:
- Operation: Export of persistent cryptographic key.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: ECDSA_P256
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Cryptographic Operation:
- Operation: Open Key.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Cryptographic Parameters:
- Provider Name: Microsoft Software Key Storage Provider
- Algorithm Name: UNKNOWN
- Key Name: Microsoft Connected Devices Platform device certificate
- Key Type: User key.
- Key File Operation Information:
- File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e373e90a-b40d-45c4-ac61-69a179d88b1d
- Operation: Read persisted key from file.
- Return Code: 0x0"
- Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x15e4
- Process Name: C:\Windows\explorer.exe"
- Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x538
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x4433C
- Privileges: SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x44375
- Linked Logon ID: 0x4433C
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x5fc
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Workstation Name: DESKTOP-TM5QNT2
- Source Network Address: 127.0.0.1
- Source Port: 0
- Detailed Authentication Information:
- Logon Process: User32
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x4433C
- Linked Logon ID: 0x44375
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x5fc
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Workstation Name: DESKTOP-TM5QNT2
- Source Network Address: 127.0.0.1
- Source Port: 0
- Detailed Authentication Information:
- Logon Process: User32
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x5fc
- Process Name: C:\Windows\System32\svchost.exe
- Network Information:
- Network Address: 127.0.0.1
- Port: 0
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 4:38:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0xfc8
- Process Name: C:\Windows\System32\SearchIndexer.exe"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- User:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Process Information:
- Process ID: 0x464
- Process Name: C:\Windows\System32\LogonUI.exe"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0x888
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Logon Information:
- Logon Type: 3
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: ANONYMOUS LOGON
- Account Name: ANONYMOUS LOGON
- Account Domain: NT AUTHORITY
- Logon ID: 0x28422
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x0
- Process Name: -
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: NtLmSsp
- Authentication Package: NTLM
- Transited Services: -
- Package Name (NTLM only): NTLM V1
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0xc20
- Process Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
- Subject:
- Security ID: NETWORK SERVICE
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E4
- Group:
- Security ID: BUILTIN\Administrators
- Group Name: Administrators
- Group Domain: Builtin
- Process Information:
- Process ID: 0xbd4
- Process Name: C:\Windows\System32\svchost.exe"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: LOCAL SERVICE
- Account Name: LOCAL SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E5
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x107FA
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x107C1
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x107FA
- Linked Logon ID: 0x107C1
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x224
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Window Manager\DWM-1
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon ID: 0x107C1
- Linked Logon ID: 0x107FA
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x224
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: DWM-1
- Account Domain: Window Manager
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x224
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Font Driver Host\UMFD-1
- Account Name: UMFD-1
- Account Domain: Font Driver Host
- Logon ID: 0xF7D3
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x224
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: UMFD-1
- Account Domain: Font Driver Host
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x224
- Process Name: C:\Windows\System32\winlogon.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: NETWORK SERVICE
- Account Name: NETWORK SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E4
- Privileges: SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: NETWORK SERVICE
- Account Name: NETWORK SERVICE
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E4
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 2
- Restricted Admin Mode: -
- Virtual Account: Yes
- Elevated Token: No
- Impersonation Level: Impersonation
- New Logon:
- Security ID: Font Driver Host\UMFD-0
- Account Name: UMFD-0
- Account Domain: Font Driver Host
- Logon ID: 0xAD22
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2a4
- Process Name: C:\Windows\System32\wininit.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Account Whose Credentials Were Used:
- Account Name: UMFD-0
- Account Domain: Font Driver Host
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Target Server:
- Target Server Name: localhost
- Additional Information: localhost
- Process Information:
- Process ID: 0x2a4
- Process Name: C:\Windows\System32\wininit.exe
- Network Information:
- Network Address: -
- Port: -
- This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2f0
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
- Number of Elements: 0
- Policy ID: 0xABAE"
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Logon Information:
- Logon Type: 0
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: -
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x4
- Process Name:
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: -
- Authentication Package: -
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
- This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2f8
- New Process Name: C:\Windows\System32\lsass.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x2a4
- Creator Process Name: C:\Windows\System32\wininit.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2f0
- New Process Name: C:\Windows\System32\services.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x2a4
- Creator Process Name: C:\Windows\System32\wininit.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2ac
- New Process Name: C:\Windows\System32\csrss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x29c
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x2a4
- New Process Name: C:\Windows\System32\wininit.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x23c
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x29c
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:52 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x248
- New Process Name: C:\Windows\System32\csrss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x23c
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:52 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x23c
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x1d4
- New Process Name: C:\Windows\System32\autochk.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x1c8
- Creator Process Name: C:\Windows\System32\smss.exe
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
- Creator Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- Target Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- Logon ID: 0x0
- Process Information:
- New Process ID: 0x1c8
- New Process Name: C:\Windows\System32\smss.exe
- Token Elevation Type: %%1936
- Mandatory Label: Mandatory Label\System Mandatory Level
- Creator Process ID: 0x4
- Creator Process Name:
- Process Command Line:
- Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
- Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
- Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4826 Other Policy Change Events "Boot Configuration Data loaded.
- Subject:
- Security ID: SYSTEM
- Account Name: -
- Account Domain: -
- Logon ID: 0x3E7
- General Settings:
- Load Options: -
- Advanced Options: No
- Configuration Access Policy: Default
- System Event Logging: No
- Kernel Debugging: No
- VSM Launch Type: Off
- Signature Settings:
- Test Signing: No
- Flight Signing: No
- Disable Integrity Checks: No
- HyperVisor Settings:
- HyperVisor Load Options: -
- HyperVisor Launch Type: Off
- HyperVisor Debugging: No"
- Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Security-Auditing 4647 Logoff "User initiated logoff:
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Account Domain: DESKTOP-TM5QNT2
- Logon ID: 0x3BDBA
- This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
- Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off.
- Subject:
- Security ID: Font Driver Host\UMFD-1
- Account Name: UMFD-1
- Account Domain: Font Driver Host
- Logon ID: 0xFEE6
- Logon Type: 2
- This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
- Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Eventlog 1100 Service shutdown The event logging service has shut down.
- Audit Success 5/2/2017 4:38:16 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
- Subject:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Privileges: SeAssignPrimaryTokenPrivilege
- SeTcbPrivilege
- SeSecurityPrivilege
- SeTakeOwnershipPrivilege
- SeLoadDriverPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- SeSystemEnvironmentPrivilege
- SeImpersonatePrivilege
- SeDelegateSessionUserImpersonatePrivilege"
- Audit Success 5/2/2017 4:38:16 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
- Subject:
- Security ID: SYSTEM
- Account Name: DESKTOP-TM5QNT2$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: SYSTEM
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x2ec
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- Audit Success 5/2/2017 4:37:56 PM Microsoft-Windows-Eventlog 1102 Log clear "The audit log was cleared.
- Subject:
- Security ID: DESKTOP-TM5QNT2\Jai
- Account Name: Jai
- Domain Name: DESKTOP-TM5QNT2
- Logon ID: 0x3BD83"
Add Comment
Please, Sign In to add comment