Security Events

1. Keywords Date and Time Source Event ID Task Category
2. Audit Success 5/2/2017 7:57:25 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
3.  
4. Subject:
5. Security ID: DESKTOP-TM5QNT2\Jai
6. Account Name: Jai
7. Account Domain: DESKTOP-TM5QNT2
8. Logon ID: 0x44E03
9.  
10. User:
11. Security ID: DESKTOP-TM5QNT2\Jai
12. Account Name: Jai
13. Account Domain: DESKTOP-TM5QNT2
14.  
15. Process Information:
16. Process ID: 0x2328
17. Process Name: C:\Windows\System32\mmc.exe"
18. Audit Success 5/2/2017 7:57:22 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
19.  
20. Subject:
21. Security ID: DESKTOP-TM5QNT2\Jai
22. Account Name: Jai
23. Account Domain: DESKTOP-TM5QNT2
24. Logon ID: 0x44E3A
25.  
26. User:
27. Security ID: DESKTOP-TM5QNT2\Jai
28. Account Name: Jai
29. Account Domain: DESKTOP-TM5QNT2
30.  
31. Process Information:
32. Process ID: 0x15f4
33. Process Name: C:\Windows\explorer.exe"
34. Audit Success 5/2/2017 7:57:08 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
35.  
36. Subject:
37. Security ID: DESKTOP-TM5QNT2\Jai
38. Account Name: Jai
39. Account Domain: DESKTOP-TM5QNT2
40. Logon ID: 0x44E03
41.  
42. User:
43. Security ID: DESKTOP-TM5QNT2\Jai
44. Account Name: Jai
45. Account Domain: DESKTOP-TM5QNT2
46.  
47. Process Information:
48. Process ID: 0x2328
49. Process Name: C:\Windows\System32\mmc.exe"
50. Audit Success 5/2/2017 7:56:57 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
51.  
52. Subject:
53. Security ID: DESKTOP-TM5QNT2\Jai
54. Account Name: Jai
55. Account Domain: DESKTOP-TM5QNT2
56. Logon ID: 0x44E3A
57.  
58. User:
59. Security ID: DESKTOP-TM5QNT2\Jai
60. Account Name: Jai
61. Account Domain: DESKTOP-TM5QNT2
62.  
63. Process Information:
64. Process ID: 0x15f4
65. Process Name: C:\Windows\explorer.exe"
66. Audit Success 5/2/2017 7:56:51 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
67.  
68. Subject:
69. Security ID: DESKTOP-TM5QNT2\Jai
70. Account Name: Jai
71. Account Domain: DESKTOP-TM5QNT2
72. Logon ID: 0x44E03
73.  
74. User:
75. Security ID: DESKTOP-TM5QNT2\Jai
76. Account Name: Jai
77. Account Domain: DESKTOP-TM5QNT2
78.  
79. Process Information:
80. Process ID: 0x2328
81. Process Name: C:\Windows\System32\mmc.exe"
82. Audit Success 5/2/2017 7:56:36 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
83.  
84. Subject:
85. Security ID: DESKTOP-TM5QNT2\Jai
86. Account Name: Jai
87. Account Domain: DESKTOP-TM5QNT2
88. Logon ID: 0x44E03
89.  
90. User:
91. Security ID: DESKTOP-TM5QNT2\Jai
92. Account Name: Jai
93. Account Domain: DESKTOP-TM5QNT2
94.  
95. Process Information:
96. Process ID: 0x2328
97. Process Name: C:\Windows\System32\mmc.exe"
98. Audit Success 5/2/2017 7:56:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
99.  
100. Subject:
101. Security ID: DESKTOP-TM5QNT2\Jai
102. Account Name: Jai
103. Account Domain: DESKTOP-TM5QNT2
104. Logon ID: 0x44E03
105.  
106. User:
107. Security ID: DESKTOP-TM5QNT2\Jai
108. Account Name: Jai
109. Account Domain: DESKTOP-TM5QNT2
110.  
111. Process Information:
112. Process ID: 0x2328
113. Process Name: C:\Windows\System32\mmc.exe"
114. Audit Success 5/2/2017 7:55:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
115.  
116. Subject:
117. Security ID: SYSTEM
118. Account Name: SYSTEM
119. Account Domain: NT AUTHORITY
120. Logon ID: 0x3E7
121.  
122. Privileges: SeAssignPrimaryTokenPrivilege
123. SeTcbPrivilege
124. SeSecurityPrivilege
125. SeTakeOwnershipPrivilege
126. SeLoadDriverPrivilege
127. SeBackupPrivilege
128. SeRestorePrivilege
129. SeDebugPrivilege
130. SeAuditPrivilege
131. SeSystemEnvironmentPrivilege
132. SeImpersonatePrivilege
133. SeDelegateSessionUserImpersonatePrivilege"
134. Audit Success 5/2/2017 7:55:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
135.  
136. Subject:
137. Security ID: SYSTEM
138. Account Name: DESKTOP-TM5QNT2$
139. Account Domain: WORKGROUP
140. Logon ID: 0x3E7
141.  
142. Logon Information:
143. Logon Type: 5
144. Restricted Admin Mode: -
145. Virtual Account: No
146. Elevated Token: Yes
147.  
148. Impersonation Level: Impersonation
149.  
150. New Logon:
151. Security ID: SYSTEM
152. Account Name: SYSTEM
153. Account Domain: NT AUTHORITY
154. Logon ID: 0x3E7
155. Linked Logon ID: 0x0
156. Network Account Name: -
157. Network Account Domain: -
158. Logon GUID: {00000000-0000-0000-0000-000000000000}
159.  
160. Process Information:
161. Process ID: 0x2fc
162. Process Name: C:\Windows\System32\services.exe
163.  
164. Network Information:
165. Workstation Name: -
166. Source Network Address: -
167. Source Port: -
168.  
169. Detailed Authentication Information:
170. Logon Process: Advapi
171. Authentication Package: Negotiate
172. Transited Services: -
173. Package Name (NTLM only): -
174. Key Length: 0
175.  
176. This event is generated when a logon session is created. It is generated on the computer that was accessed.
177.  
178. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
179.  
180. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
181.  
182. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
183.  
184. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
185.  
186. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
187.  
188. The authentication information fields provide detailed information about this specific logon request.
189. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
190. - Transited services indicate which intermediate services have participated in this logon request.
191. - Package name indicates which sub-protocol was used among the NTLM protocols.
192. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
193. Audit Success 5/2/2017 7:55:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
194.  
195. Subject:
196. Security ID: SYSTEM
197. Account Name: SYSTEM
198. Account Domain: NT AUTHORITY
199. Logon ID: 0x3E7
200.  
201. Privileges: SeAssignPrimaryTokenPrivilege
202. SeTcbPrivilege
203. SeSecurityPrivilege
204. SeTakeOwnershipPrivilege
205. SeLoadDriverPrivilege
206. SeBackupPrivilege
207. SeRestorePrivilege
208. SeDebugPrivilege
209. SeAuditPrivilege
210. SeSystemEnvironmentPrivilege
211. SeImpersonatePrivilege
212. SeDelegateSessionUserImpersonatePrivilege"
213. Audit Success 5/2/2017 7:55:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
214.  
215. Subject:
216. Security ID: SYSTEM
217. Account Name: DESKTOP-TM5QNT2$
218. Account Domain: WORKGROUP
219. Logon ID: 0x3E7
220.  
221. Logon Information:
222. Logon Type: 5
223. Restricted Admin Mode: -
224. Virtual Account: No
225. Elevated Token: Yes
226.  
227. Impersonation Level: Impersonation
228.  
229. New Logon:
230. Security ID: SYSTEM
231. Account Name: SYSTEM
232. Account Domain: NT AUTHORITY
233. Logon ID: 0x3E7
234. Linked Logon ID: 0x0
235. Network Account Name: -
236. Network Account Domain: -
237. Logon GUID: {00000000-0000-0000-0000-000000000000}
238.  
239. Process Information:
240. Process ID: 0x2fc
241. Process Name: C:\Windows\System32\services.exe
242.  
243. Network Information:
244. Workstation Name: -
245. Source Network Address: -
246. Source Port: -
247.  
248. Detailed Authentication Information:
249. Logon Process: Advapi
250. Authentication Package: Negotiate
251. Transited Services: -
252. Package Name (NTLM only): -
253. Key Length: 0
254.  
255. This event is generated when a logon session is created. It is generated on the computer that was accessed.
256.  
257. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
258.  
259. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
260.  
261. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
262.  
263. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
264.  
265. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
266.  
267. The authentication information fields provide detailed information about this specific logon request.
268. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
269. - Transited services indicate which intermediate services have participated in this logon request.
270. - Package name indicates which sub-protocol was used among the NTLM protocols.
271. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
272. Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
273.  
274. Subject:
275. Security ID: SYSTEM
276. Account Name: SYSTEM
277. Account Domain: NT AUTHORITY
278. Logon ID: 0x3E7
279.  
280. Privileges: SeAssignPrimaryTokenPrivilege
281. SeTcbPrivilege
282. SeSecurityPrivilege
283. SeTakeOwnershipPrivilege
284. SeLoadDriverPrivilege
285. SeBackupPrivilege
286. SeRestorePrivilege
287. SeDebugPrivilege
288. SeAuditPrivilege
289. SeSystemEnvironmentPrivilege
290. SeImpersonatePrivilege
291. SeDelegateSessionUserImpersonatePrivilege"
292. Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
293.  
294. Subject:
295. Security ID: SYSTEM
296. Account Name: DESKTOP-TM5QNT2$
297. Account Domain: WORKGROUP
298. Logon ID: 0x3E7
299.  
300. Logon Information:
301. Logon Type: 5
302. Restricted Admin Mode: -
303. Virtual Account: No
304. Elevated Token: Yes
305.  
306. Impersonation Level: Impersonation
307.  
308. New Logon:
309. Security ID: SYSTEM
310. Account Name: SYSTEM
311. Account Domain: NT AUTHORITY
312. Logon ID: 0x3E7
313. Linked Logon ID: 0x0
314. Network Account Name: -
315. Network Account Domain: -
316. Logon GUID: {00000000-0000-0000-0000-000000000000}
317.  
318. Process Information:
319. Process ID: 0x2fc
320. Process Name: C:\Windows\System32\services.exe
321.  
322. Network Information:
323. Workstation Name: -
324. Source Network Address: -
325. Source Port: -
326.  
327. Detailed Authentication Information:
328. Logon Process: Advapi
329. Authentication Package: Negotiate
330. Transited Services: -
331. Package Name (NTLM only): -
332. Key Length: 0
333.  
334. This event is generated when a logon session is created. It is generated on the computer that was accessed.
335.  
336. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
337.  
338. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
339.  
340. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
341.  
342. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
343.  
344. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
345.  
346. The authentication information fields provide detailed information about this specific logon request.
347. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
348. - Transited services indicate which intermediate services have participated in this logon request.
349. - Package name indicates which sub-protocol was used among the NTLM protocols.
350. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
351. Audit Success 5/2/2017 7:54:12 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
352.  
353. Subject:
354. Security ID: DESKTOP-TM5QNT2\Jai
355. Account Name: Jai
356. Account Domain: DESKTOP-TM5QNT2
357. Logon ID: 0x44E3A
358.  
359. User:
360. Security ID: DESKTOP-TM5QNT2\Jai
361. Account Name: Jai
362. Account Domain: DESKTOP-TM5QNT2
363.  
364. Process Information:
365. Process ID: 0x15f4
366. Process Name: C:\Windows\explorer.exe"
367. Audit Success 5/2/2017 7:53:08 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
368.  
369. Subject:
370. Security ID: DESKTOP-TM5QNT2\Jai
371. Account Name: Jai
372. Account Domain: DESKTOP-TM5QNT2
373. Logon ID: 0x44E3A
374.  
375. User:
376. Security ID: DESKTOP-TM5QNT2\Jai
377. Account Name: Jai
378. Account Domain: DESKTOP-TM5QNT2
379.  
380. Process Information:
381. Process ID: 0x2414
382. Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
383. Audit Success 5/2/2017 7:52:40 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
384.  
385. Subject:
386. Security ID: SYSTEM
387. Account Name: SYSTEM
388. Account Domain: NT AUTHORITY
389. Logon ID: 0x3E7
390.  
391. Privileges: SeAssignPrimaryTokenPrivilege
392. SeTcbPrivilege
393. SeSecurityPrivilege
394. SeTakeOwnershipPrivilege
395. SeLoadDriverPrivilege
396. SeBackupPrivilege
397. SeRestorePrivilege
398. SeDebugPrivilege
399. SeAuditPrivilege
400. SeSystemEnvironmentPrivilege
401. SeImpersonatePrivilege
402. SeDelegateSessionUserImpersonatePrivilege"
403. Audit Success 5/2/2017 7:52:40 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
404.  
405. Subject:
406. Security ID: SYSTEM
407. Account Name: DESKTOP-TM5QNT2$
408. Account Domain: WORKGROUP
409. Logon ID: 0x3E7
410.  
411. Logon Information:
412. Logon Type: 5
413. Restricted Admin Mode: -
414. Virtual Account: No
415. Elevated Token: Yes
416.  
417. Impersonation Level: Impersonation
418.  
419. New Logon:
420. Security ID: SYSTEM
421. Account Name: SYSTEM
422. Account Domain: NT AUTHORITY
423. Logon ID: 0x3E7
424. Linked Logon ID: 0x0
425. Network Account Name: -
426. Network Account Domain: -
427. Logon GUID: {00000000-0000-0000-0000-000000000000}
428.  
429. Process Information:
430. Process ID: 0x2fc
431. Process Name: C:\Windows\System32\services.exe
432.  
433. Network Information:
434. Workstation Name: -
435. Source Network Address: -
436. Source Port: -
437.  
438. Detailed Authentication Information:
439. Logon Process: Advapi
440. Authentication Package: Negotiate
441. Transited Services: -
442. Package Name (NTLM only): -
443. Key Length: 0
444.  
445. This event is generated when a logon session is created. It is generated on the computer that was accessed.
446.  
447. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
448.  
449. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
450.  
451. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
452.  
453. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
454.  
455. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
456.  
457. The authentication information fields provide detailed information about this specific logon request.
458. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
459. - Transited services indicate which intermediate services have participated in this logon request.
460. - Package name indicates which sub-protocol was used among the NTLM protocols.
461. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
462. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
463.  
464. Subject:
465. Security ID: SYSTEM
466. Account Name: SYSTEM
467. Account Domain: NT AUTHORITY
468. Logon ID: 0x3E7
469.  
470. Privileges: SeAssignPrimaryTokenPrivilege
471. SeTcbPrivilege
472. SeSecurityPrivilege
473. SeTakeOwnershipPrivilege
474. SeLoadDriverPrivilege
475. SeBackupPrivilege
476. SeRestorePrivilege
477. SeDebugPrivilege
478. SeAuditPrivilege
479. SeSystemEnvironmentPrivilege
480. SeImpersonatePrivilege
481. SeDelegateSessionUserImpersonatePrivilege"
482. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
483.  
484. Subject:
485. Security ID: SYSTEM
486. Account Name: DESKTOP-TM5QNT2$
487. Account Domain: WORKGROUP
488. Logon ID: 0x3E7
489.  
490. Logon Information:
491. Logon Type: 5
492. Restricted Admin Mode: -
493. Virtual Account: No
494. Elevated Token: Yes
495.  
496. Impersonation Level: Impersonation
497.  
498. New Logon:
499. Security ID: SYSTEM
500. Account Name: SYSTEM
501. Account Domain: NT AUTHORITY
502. Logon ID: 0x3E7
503. Linked Logon ID: 0x0
504. Network Account Name: -
505. Network Account Domain: -
506. Logon GUID: {00000000-0000-0000-0000-000000000000}
507.  
508. Process Information:
509. Process ID: 0x2fc
510. Process Name: C:\Windows\System32\services.exe
511.  
512. Network Information:
513. Workstation Name: -
514. Source Network Address: -
515. Source Port: -
516.  
517. Detailed Authentication Information:
518. Logon Process: Advapi
519. Authentication Package: Negotiate
520. Transited Services: -
521. Package Name (NTLM only): -
522. Key Length: 0
523.  
524. This event is generated when a logon session is created. It is generated on the computer that was accessed.
525.  
526. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
527.  
528. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
529.  
530. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
531.  
532. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
533.  
534. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
535.  
536. The authentication information fields provide detailed information about this specific logon request.
537. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
538. - Transited services indicate which intermediate services have participated in this logon request.
539. - Package name indicates which sub-protocol was used among the NTLM protocols.
540. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
541. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
542.  
543. Subject:
544. Security ID: SYSTEM
545. Account Name: SYSTEM
546. Account Domain: NT AUTHORITY
547. Logon ID: 0x3E7
548.  
549. Privileges: SeAssignPrimaryTokenPrivilege
550. SeTcbPrivilege
551. SeSecurityPrivilege
552. SeTakeOwnershipPrivilege
553. SeLoadDriverPrivilege
554. SeBackupPrivilege
555. SeRestorePrivilege
556. SeDebugPrivilege
557. SeAuditPrivilege
558. SeSystemEnvironmentPrivilege
559. SeImpersonatePrivilege
560. SeDelegateSessionUserImpersonatePrivilege"
561. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
562.  
563. Subject:
564. Security ID: SYSTEM
565. Account Name: DESKTOP-TM5QNT2$
566. Account Domain: WORKGROUP
567. Logon ID: 0x3E7
568.  
569. Logon Information:
570. Logon Type: 5
571. Restricted Admin Mode: -
572. Virtual Account: No
573. Elevated Token: Yes
574.  
575. Impersonation Level: Impersonation
576.  
577. New Logon:
578. Security ID: SYSTEM
579. Account Name: SYSTEM
580. Account Domain: NT AUTHORITY
581. Logon ID: 0x3E7
582. Linked Logon ID: 0x0
583. Network Account Name: -
584. Network Account Domain: -
585. Logon GUID: {00000000-0000-0000-0000-000000000000}
586.  
587. Process Information:
588. Process ID: 0x2fc
589. Process Name: C:\Windows\System32\services.exe
590.  
591. Network Information:
592. Workstation Name: -
593. Source Network Address: -
594. Source Port: -
595.  
596. Detailed Authentication Information:
597. Logon Process: Advapi
598. Authentication Package: Negotiate
599. Transited Services: -
600. Package Name (NTLM only): -
601. Key Length: 0
602.  
603. This event is generated when a logon session is created. It is generated on the computer that was accessed.
604.  
605. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
606.  
607. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
608.  
609. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
610.  
611. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
612.  
613. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
614.  
615. The authentication information fields provide detailed information about this specific logon request.
616. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
617. - Transited services indicate which intermediate services have participated in this logon request.
618. - Package name indicates which sub-protocol was used among the NTLM protocols.
619. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
620. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
621.  
622. Subject:
623. Security ID: LOCAL SERVICE
624. Account Name: LOCAL SERVICE
625. Account Domain: NT AUTHORITY
626. Logon ID: 0x3E5
627.  
628. Cryptographic Parameters:
629. Provider Name: Microsoft Software Key Storage Provider
630. Algorithm Name: ECDSA_P256
631. Key Name: b9f2517f4754014d
632. Key Type: User key.
633.  
634. Additional Information:
635. Operation: Export of persistent cryptographic key.
636. Return Code: 0x0"
637. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
638.  
639. Subject:
640. Security ID: LOCAL SERVICE
641. Account Name: LOCAL SERVICE
642. Account Domain: NT AUTHORITY
643. Logon ID: 0x3E5
644.  
645. Cryptographic Parameters:
646. Provider Name: Microsoft Software Key Storage Provider
647. Algorithm Name: ECDSA_P256
648. Key Name: b9f2517f4754014d
649. Key Type: User key.
650.  
651. Cryptographic Operation:
652. Operation: Open Key.
653. Return Code: 0x0"
654. Audit Success 5/2/2017 7:52:28 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
655.  
656. Subject:
657. Security ID: LOCAL SERVICE
658. Account Name: LOCAL SERVICE
659. Account Domain: NT AUTHORITY
660. Logon ID: 0x3E5
661.  
662. Cryptographic Parameters:
663. Provider Name: Microsoft Software Key Storage Provider
664. Algorithm Name: UNKNOWN
665. Key Name: b9f2517f4754014d
666. Key Type: User key.
667.  
668. Key File Operation Information:
669. File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\3ad54d8cdb73d107e26bb0926fb878e5_e373e90a-b40d-45c4-ac61-69a179d88b1d
670. Operation: Read persisted key from file.
671. Return Code: 0x0"
672. Audit Success 5/2/2017 7:52:25 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
673.  
674. Subject:
675. Security ID: SYSTEM
676. Account Name: DESKTOP-TM5QNT2$
677. Account Domain: WORKGROUP
678. Logon ID: 0x3E7
679.  
680. Group:
681. Security ID: BUILTIN\Administrators
682. Group Name: Administrators
683. Group Domain: Builtin
684.  
685. Process Information:
686. Process ID: 0x1cb0
687. Process Name: C:\Windows\System32\svchost.exe"
688. Audit Success 5/2/2017 7:52:23 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
689.  
690. Subject:
691. Security ID: SYSTEM
692. Account Name: SYSTEM
693. Account Domain: NT AUTHORITY
694. Logon ID: 0x3E7
695.  
696. Privileges: SeAssignPrimaryTokenPrivilege
697. SeTcbPrivilege
698. SeSecurityPrivilege
699. SeTakeOwnershipPrivilege
700. SeLoadDriverPrivilege
701. SeBackupPrivilege
702. SeRestorePrivilege
703. SeDebugPrivilege
704. SeAuditPrivilege
705. SeSystemEnvironmentPrivilege
706. SeImpersonatePrivilege
707. SeDelegateSessionUserImpersonatePrivilege"
708. Audit Success 5/2/2017 7:52:23 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
709.  
710. Subject:
711. Security ID: SYSTEM
712. Account Name: DESKTOP-TM5QNT2$
713. Account Domain: WORKGROUP
714. Logon ID: 0x3E7
715.  
716. Logon Information:
717. Logon Type: 5
718. Restricted Admin Mode: -
719. Virtual Account: No
720. Elevated Token: Yes
721.  
722. Impersonation Level: Impersonation
723.  
724. New Logon:
725. Security ID: SYSTEM
726. Account Name: SYSTEM
727. Account Domain: NT AUTHORITY
728. Logon ID: 0x3E7
729. Linked Logon ID: 0x0
730. Network Account Name: -
731. Network Account Domain: -
732. Logon GUID: {00000000-0000-0000-0000-000000000000}
733.  
734. Process Information:
735. Process ID: 0x2fc
736. Process Name: C:\Windows\System32\services.exe
737.  
738. Network Information:
739. Workstation Name: -
740. Source Network Address: -
741. Source Port: -
742.  
743. Detailed Authentication Information:
744. Logon Process: Advapi
745. Authentication Package: Negotiate
746. Transited Services: -
747. Package Name (NTLM only): -
748. Key Length: 0
749.  
750. This event is generated when a logon session is created. It is generated on the computer that was accessed.
751.  
752. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
753.  
754. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
755.  
756. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
757.  
758. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
759.  
760. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
761.  
762. The authentication information fields provide detailed information about this specific logon request.
763. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
764. - Transited services indicate which intermediate services have participated in this logon request.
765. - Package name indicates which sub-protocol was used among the NTLM protocols.
766. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
767. Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
768.  
769. Subject:
770. Security ID: LOCAL SERVICE
771. Account Name: LOCAL SERVICE
772. Account Domain: NT AUTHORITY
773. Logon ID: 0x3E5
774.  
775. Cryptographic Parameters:
776. Provider Name: Microsoft Software Key Storage Provider
777. Algorithm Name: ECDSA_P256
778. Key Name: Microsoft Connected Devices Platform device certificate
779. Key Type: User key.
780.  
781. Additional Information:
782. Operation: Export of persistent cryptographic key.
783. Return Code: 0x0"
784. Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
785.  
786. Subject:
787. Security ID: LOCAL SERVICE
788. Account Name: LOCAL SERVICE
789. Account Domain: NT AUTHORITY
790. Logon ID: 0x3E5
791.  
792. Cryptographic Parameters:
793. Provider Name: Microsoft Software Key Storage Provider
794. Algorithm Name: ECDSA_P256
795. Key Name: Microsoft Connected Devices Platform device certificate
796. Key Type: User key.
797.  
798. Cryptographic Operation:
799. Operation: Open Key.
800. Return Code: 0x0"
801. Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
802.  
803. Subject:
804. Security ID: LOCAL SERVICE
805. Account Name: LOCAL SERVICE
806. Account Domain: NT AUTHORITY
807. Logon ID: 0x3E5
808.  
809. Cryptographic Parameters:
810. Provider Name: Microsoft Software Key Storage Provider
811. Algorithm Name: UNKNOWN
812. Key Name: Microsoft Connected Devices Platform device certificate
813. Key Type: User key.
814.  
815. Key File Operation Information:
816. File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e373e90a-b40d-45c4-ac61-69a179d88b1d
817. Operation: Read persisted key from file.
818. Return Code: 0x0"
819. Audit Success 5/2/2017 7:52:19 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
820.  
821. Subject:
822. Security ID: DESKTOP-TM5QNT2\Jai
823. Account Name: Jai
824. Account Domain: DESKTOP-TM5QNT2
825. Logon ID: 0x44E3A
826.  
827. User:
828. Security ID: DESKTOP-TM5QNT2\Jai
829. Account Name: Jai
830. Account Domain: DESKTOP-TM5QNT2
831.  
832. Process Information:
833. Process ID: 0x15f4
834. Process Name: C:\Windows\explorer.exe"
835. Audit Success 5/2/2017 7:52:18 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
836.  
837. Subject:
838. Security ID: DESKTOP-TM5QNT2\Jai
839. Account Name: Jai
840. Account Domain: DESKTOP-TM5QNT2
841. Logon ID: 0x44E3A
842.  
843. User:
844. Security ID: DESKTOP-TM5QNT2\Jai
845. Account Name: Jai
846. Account Domain: DESKTOP-TM5QNT2
847.  
848. Process Information:
849. Process ID: 0x15f4
850. Process Name: C:\Windows\explorer.exe"
851. Audit Success 5/2/2017 7:52:18 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
852.  
853. Subject:
854. Security ID: SYSTEM
855. Account Name: DESKTOP-TM5QNT2$
856. Account Domain: WORKGROUP
857. Logon ID: 0x3E7
858.  
859. Group:
860. Security ID: BUILTIN\Administrators
861. Group Name: Administrators
862. Group Domain: Builtin
863.  
864. Process Information:
865. Process ID: 0x5bc
866. Process Name: C:\Windows\System32\svchost.exe"
867. Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
868.  
869. Subject:
870. Security ID: DESKTOP-TM5QNT2\Jai
871. Account Name: Jai
872. Account Domain: DESKTOP-TM5QNT2
873. Logon ID: 0x44E03
874.  
875. Privileges: SeSecurityPrivilege
876. SeTakeOwnershipPrivilege
877. SeLoadDriverPrivilege
878. SeBackupPrivilege
879. SeRestorePrivilege
880. SeDebugPrivilege
881. SeSystemEnvironmentPrivilege
882. SeImpersonatePrivilege
883. SeDelegateSessionUserImpersonatePrivilege"
884. Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
885.  
886. Subject:
887. Security ID: SYSTEM
888. Account Name: DESKTOP-TM5QNT2$
889. Account Domain: WORKGROUP
890. Logon ID: 0x3E7
891.  
892. Logon Information:
893. Logon Type: 2
894. Restricted Admin Mode: -
895. Virtual Account: No
896. Elevated Token: No
897.  
898. Impersonation Level: Impersonation
899.  
900. New Logon:
901. Security ID: DESKTOP-TM5QNT2\Jai
902. Account Name: Jai
903. Account Domain: DESKTOP-TM5QNT2
904. Logon ID: 0x44E3A
905. Linked Logon ID: 0x44E03
906. Network Account Name: -
907. Network Account Domain: -
908. Logon GUID: {00000000-0000-0000-0000-000000000000}
909.  
910. Process Information:
911. Process ID: 0x678
912. Process Name: C:\Windows\System32\svchost.exe
913.  
914. Network Information:
915. Workstation Name: DESKTOP-TM5QNT2
916. Source Network Address: 127.0.0.1
917. Source Port: 0
918.  
919. Detailed Authentication Information:
920. Logon Process: User32
921. Authentication Package: Negotiate
922. Transited Services: -
923. Package Name (NTLM only): -
924. Key Length: 0
925.  
926. This event is generated when a logon session is created. It is generated on the computer that was accessed.
927.  
928. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
929.  
930. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
931.  
932. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
933.  
934. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
935.  
936. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
937.  
938. The authentication information fields provide detailed information about this specific logon request.
939. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
940. - Transited services indicate which intermediate services have participated in this logon request.
941. - Package name indicates which sub-protocol was used among the NTLM protocols.
942. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
943. Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
944.  
945. Subject:
946. Security ID: SYSTEM
947. Account Name: DESKTOP-TM5QNT2$
948. Account Domain: WORKGROUP
949. Logon ID: 0x3E7
950.  
951. Logon Information:
952. Logon Type: 2
953. Restricted Admin Mode: -
954. Virtual Account: No
955. Elevated Token: Yes
956.  
957. Impersonation Level: Impersonation
958.  
959. New Logon:
960. Security ID: DESKTOP-TM5QNT2\Jai
961. Account Name: Jai
962. Account Domain: DESKTOP-TM5QNT2
963. Logon ID: 0x44E03
964. Linked Logon ID: 0x44E3A
965. Network Account Name: -
966. Network Account Domain: -
967. Logon GUID: {00000000-0000-0000-0000-000000000000}
968.  
969. Process Information:
970. Process ID: 0x678
971. Process Name: C:\Windows\System32\svchost.exe
972.  
973. Network Information:
974. Workstation Name: DESKTOP-TM5QNT2
975. Source Network Address: 127.0.0.1
976. Source Port: 0
977.  
978. Detailed Authentication Information:
979. Logon Process: User32
980. Authentication Package: Negotiate
981. Transited Services: -
982. Package Name (NTLM only): -
983. Key Length: 0
984.  
985. This event is generated when a logon session is created. It is generated on the computer that was accessed.
986.  
987. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
988.  
989. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
990.  
991. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
992.  
993. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
994.  
995. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
996.  
997. The authentication information fields provide detailed information about this specific logon request.
998. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
999. - Transited services indicate which intermediate services have participated in this logon request.
1000. - Package name indicates which sub-protocol was used among the NTLM protocols.
1001. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1002. Audit Success 5/2/2017 7:52:17 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
1003.  
1004. Subject:
1005. Security ID: SYSTEM
1006. Account Name: DESKTOP-TM5QNT2$
1007. Account Domain: WORKGROUP
1008. Logon ID: 0x3E7
1009. Logon GUID: {00000000-0000-0000-0000-000000000000}
1010.  
1011. Account Whose Credentials Were Used:
1012. Account Name: Jai
1013. Account Domain: DESKTOP-TM5QNT2
1014. Logon GUID: {00000000-0000-0000-0000-000000000000}
1015.  
1016. Target Server:
1017. Target Server Name: localhost
1018. Additional Information: localhost
1019.  
1020. Process Information:
1021. Process ID: 0x678
1022. Process Name: C:\Windows\System32\svchost.exe
1023.  
1024. Network Information:
1025. Network Address: 127.0.0.1
1026. Port: 0
1027.  
1028. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
1029. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
1030.  
1031. Subject:
1032. Security ID: SYSTEM
1033. Account Name: DESKTOP-TM5QNT2$
1034. Account Domain: WORKGROUP
1035. Logon ID: 0x3E7
1036.  
1037. Group:
1038. Security ID: BUILTIN\Administrators
1039. Group Name: Administrators
1040. Group Domain: Builtin
1041.  
1042. Process Information:
1043. Process ID: 0x1084
1044. Process Name: C:\Windows\System32\SearchIndexer.exe"
1045. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1046.  
1047. Subject:
1048. Security ID: SYSTEM
1049. Account Name: SYSTEM
1050. Account Domain: NT AUTHORITY
1051. Logon ID: 0x3E7
1052.  
1053. Privileges: SeAssignPrimaryTokenPrivilege
1054. SeTcbPrivilege
1055. SeSecurityPrivilege
1056. SeTakeOwnershipPrivilege
1057. SeLoadDriverPrivilege
1058. SeBackupPrivilege
1059. SeRestorePrivilege
1060. SeDebugPrivilege
1061. SeAuditPrivilege
1062. SeSystemEnvironmentPrivilege
1063. SeImpersonatePrivilege
1064. SeDelegateSessionUserImpersonatePrivilege"
1065. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1066.  
1067. Subject:
1068. Security ID: SYSTEM
1069. Account Name: DESKTOP-TM5QNT2$
1070. Account Domain: WORKGROUP
1071. Logon ID: 0x3E7
1072.  
1073. Logon Information:
1074. Logon Type: 5
1075. Restricted Admin Mode: -
1076. Virtual Account: No
1077. Elevated Token: Yes
1078.  
1079. Impersonation Level: Impersonation
1080.  
1081. New Logon:
1082. Security ID: SYSTEM
1083. Account Name: SYSTEM
1084. Account Domain: NT AUTHORITY
1085. Logon ID: 0x3E7
1086. Linked Logon ID: 0x0
1087. Network Account Name: -
1088. Network Account Domain: -
1089. Logon GUID: {00000000-0000-0000-0000-000000000000}
1090.  
1091. Process Information:
1092. Process ID: 0x2fc
1093. Process Name: C:\Windows\System32\services.exe
1094.  
1095. Network Information:
1096. Workstation Name: -
1097. Source Network Address: -
1098. Source Port: -
1099.  
1100. Detailed Authentication Information:
1101. Logon Process: Advapi
1102. Authentication Package: Negotiate
1103. Transited Services: -
1104. Package Name (NTLM only): -
1105. Key Length: 0
1106.  
1107. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1108.  
1109. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1110.  
1111. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1112.  
1113. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1114.  
1115. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1116.  
1117. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1118.  
1119. The authentication information fields provide detailed information about this specific logon request.
1120. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1121. - Transited services indicate which intermediate services have participated in this logon request.
1122. - Package name indicates which sub-protocol was used among the NTLM protocols.
1123. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1124. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1125.  
1126. Subject:
1127. Security ID: SYSTEM
1128. Account Name: SYSTEM
1129. Account Domain: NT AUTHORITY
1130. Logon ID: 0x3E7
1131.  
1132. Privileges: SeAssignPrimaryTokenPrivilege
1133. SeTcbPrivilege
1134. SeSecurityPrivilege
1135. SeTakeOwnershipPrivilege
1136. SeLoadDriverPrivilege
1137. SeBackupPrivilege
1138. SeRestorePrivilege
1139. SeDebugPrivilege
1140. SeAuditPrivilege
1141. SeSystemEnvironmentPrivilege
1142. SeImpersonatePrivilege
1143. SeDelegateSessionUserImpersonatePrivilege"
1144. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1145.  
1146. Subject:
1147. Security ID: SYSTEM
1148. Account Name: DESKTOP-TM5QNT2$
1149. Account Domain: WORKGROUP
1150. Logon ID: 0x3E7
1151.  
1152. Logon Information:
1153. Logon Type: 5
1154. Restricted Admin Mode: -
1155. Virtual Account: No
1156. Elevated Token: Yes
1157.  
1158. Impersonation Level: Impersonation
1159.  
1160. New Logon:
1161. Security ID: SYSTEM
1162. Account Name: SYSTEM
1163. Account Domain: NT AUTHORITY
1164. Logon ID: 0x3E7
1165. Linked Logon ID: 0x0
1166. Network Account Name: -
1167. Network Account Domain: -
1168. Logon GUID: {00000000-0000-0000-0000-000000000000}
1169.  
1170. Process Information:
1171. Process ID: 0x2fc
1172. Process Name: C:\Windows\System32\services.exe
1173.  
1174. Network Information:
1175. Workstation Name: -
1176. Source Network Address: -
1177. Source Port: -
1178.  
1179. Detailed Authentication Information:
1180. Logon Process: Advapi
1181. Authentication Package: Negotiate
1182. Transited Services: -
1183. Package Name (NTLM only): -
1184. Key Length: 0
1185.  
1186. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1187.  
1188. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1189.  
1190. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1191.  
1192. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1193.  
1194. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1195.  
1196. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1197.  
1198. The authentication information fields provide detailed information about this specific logon request.
1199. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1200. - Transited services indicate which intermediate services have participated in this logon request.
1201. - Package name indicates which sub-protocol was used among the NTLM protocols.
1202. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1203. Audit Success 5/2/2017 7:52:12 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
1204.  
1205. Subject:
1206. Security ID: SYSTEM
1207. Account Name: DESKTOP-TM5QNT2$
1208. Account Domain: WORKGROUP
1209. Logon ID: 0x3E7
1210.  
1211. User:
1212. Security ID: DESKTOP-TM5QNT2\Jai
1213. Account Name: Jai
1214. Account Domain: DESKTOP-TM5QNT2
1215.  
1216. Process Information:
1217. Process ID: 0x464
1218. Process Name: C:\Windows\System32\LogonUI.exe"
1219. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
1220. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1221.  
1222. Subject:
1223. Security ID: SYSTEM
1224. Account Name: SYSTEM
1225. Account Domain: NT AUTHORITY
1226. Logon ID: 0x3E7
1227.  
1228. Privileges: SeAssignPrimaryTokenPrivilege
1229. SeTcbPrivilege
1230. SeSecurityPrivilege
1231. SeTakeOwnershipPrivilege
1232. SeLoadDriverPrivilege
1233. SeBackupPrivilege
1234. SeRestorePrivilege
1235. SeDebugPrivilege
1236. SeAuditPrivilege
1237. SeSystemEnvironmentPrivilege
1238. SeImpersonatePrivilege
1239. SeDelegateSessionUserImpersonatePrivilege"
1240. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1241.  
1242. Subject:
1243. Security ID: SYSTEM
1244. Account Name: DESKTOP-TM5QNT2$
1245. Account Domain: WORKGROUP
1246. Logon ID: 0x3E7
1247.  
1248. Logon Information:
1249. Logon Type: 5
1250. Restricted Admin Mode: -
1251. Virtual Account: No
1252. Elevated Token: Yes
1253.  
1254. Impersonation Level: Impersonation
1255.  
1256. New Logon:
1257. Security ID: SYSTEM
1258. Account Name: SYSTEM
1259. Account Domain: NT AUTHORITY
1260. Logon ID: 0x3E7
1261. Linked Logon ID: 0x0
1262. Network Account Name: -
1263. Network Account Domain: -
1264. Logon GUID: {00000000-0000-0000-0000-000000000000}
1265.  
1266. Process Information:
1267. Process ID: 0x2fc
1268. Process Name: C:\Windows\System32\services.exe
1269.  
1270. Network Information:
1271. Workstation Name: -
1272. Source Network Address: -
1273. Source Port: -
1274.  
1275. Detailed Authentication Information:
1276. Logon Process: Advapi
1277. Authentication Package: Negotiate
1278. Transited Services: -
1279. Package Name (NTLM only): -
1280. Key Length: 0
1281.  
1282. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1283.  
1284. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1285.  
1286. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1287.  
1288. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1289.  
1290. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1291.  
1292. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1293.  
1294. The authentication information fields provide detailed information about this specific logon request.
1295. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1296. - Transited services indicate which intermediate services have participated in this logon request.
1297. - Package name indicates which sub-protocol was used among the NTLM protocols.
1298. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1299. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
1300.  
1301. Subject:
1302. Security ID: SYSTEM
1303. Account Name: DESKTOP-TM5QNT2$
1304. Account Domain: WORKGROUP
1305. Logon ID: 0x3E7
1306.  
1307. Group:
1308. Security ID: BUILTIN\Administrators
1309. Group Name: Administrators
1310. Group Domain: Builtin
1311.  
1312. Process Information:
1313. Process ID: 0xb24
1314. Process Name: C:\Windows\System32\svchost.exe"
1315. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1316.  
1317. Subject:
1318. Security ID: NULL SID
1319. Account Name: -
1320. Account Domain: -
1321. Logon ID: 0x0
1322.  
1323. Logon Information:
1324. Logon Type: 3
1325. Restricted Admin Mode: -
1326. Virtual Account: No
1327. Elevated Token: No
1328.  
1329. Impersonation Level: Impersonation
1330.  
1331. New Logon:
1332. Security ID: ANONYMOUS LOGON
1333. Account Name: ANONYMOUS LOGON
1334. Account Domain: NT AUTHORITY
1335. Logon ID: 0x26208
1336. Linked Logon ID: 0x0
1337. Network Account Name: -
1338. Network Account Domain: -
1339. Logon GUID: {00000000-0000-0000-0000-000000000000}
1340.  
1341. Process Information:
1342. Process ID: 0x0
1343. Process Name: -
1344.  
1345. Network Information:
1346. Workstation Name: -
1347. Source Network Address: -
1348. Source Port: -
1349.  
1350. Detailed Authentication Information:
1351. Logon Process: NtLmSsp
1352. Authentication Package: NTLM
1353. Transited Services: -
1354. Package Name (NTLM only): NTLM V1
1355. Key Length: 0
1356.  
1357. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1358.  
1359. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1360.  
1361. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1362.  
1363. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1364.  
1365. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1366.  
1367. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1368.  
1369. The authentication information fields provide detailed information about this specific logon request.
1370. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1371. - Transited services indicate which intermediate services have participated in this logon request.
1372. - Package name indicates which sub-protocol was used among the NTLM protocols.
1373. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1374. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
1375.  
1376. Subject:
1377. Security ID: SYSTEM
1378. Account Name: DESKTOP-TM5QNT2$
1379. Account Domain: WORKGROUP
1380. Logon ID: 0x3E7
1381.  
1382. Group:
1383. Security ID: BUILTIN\Administrators
1384. Group Name: Administrators
1385. Group Domain: Builtin
1386.  
1387. Process Information:
1388. Process ID: 0xc28
1389. Process Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
1390. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1391.  
1392. Subject:
1393. Security ID: SYSTEM
1394. Account Name: SYSTEM
1395. Account Domain: NT AUTHORITY
1396. Logon ID: 0x3E7
1397.  
1398. Privileges: SeAssignPrimaryTokenPrivilege
1399. SeTcbPrivilege
1400. SeSecurityPrivilege
1401. SeTakeOwnershipPrivilege
1402. SeLoadDriverPrivilege
1403. SeBackupPrivilege
1404. SeRestorePrivilege
1405. SeDebugPrivilege
1406. SeAuditPrivilege
1407. SeSystemEnvironmentPrivilege
1408. SeImpersonatePrivilege
1409. SeDelegateSessionUserImpersonatePrivilege"
1410. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1411.  
1412. Subject:
1413. Security ID: SYSTEM
1414. Account Name: DESKTOP-TM5QNT2$
1415. Account Domain: WORKGROUP
1416. Logon ID: 0x3E7
1417.  
1418. Logon Information:
1419. Logon Type: 5
1420. Restricted Admin Mode: -
1421. Virtual Account: No
1422. Elevated Token: Yes
1423.  
1424. Impersonation Level: Impersonation
1425.  
1426. New Logon:
1427. Security ID: SYSTEM
1428. Account Name: SYSTEM
1429. Account Domain: NT AUTHORITY
1430. Logon ID: 0x3E7
1431. Linked Logon ID: 0x0
1432. Network Account Name: -
1433. Network Account Domain: -
1434. Logon GUID: {00000000-0000-0000-0000-000000000000}
1435.  
1436. Process Information:
1437. Process ID: 0x2fc
1438. Process Name: C:\Windows\System32\services.exe
1439.  
1440. Network Information:
1441. Workstation Name: -
1442. Source Network Address: -
1443. Source Port: -
1444.  
1445. Detailed Authentication Information:
1446. Logon Process: Advapi
1447. Authentication Package: Negotiate
1448. Transited Services: -
1449. Package Name (NTLM only): -
1450. Key Length: 0
1451.  
1452. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1453.  
1454. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1455.  
1456. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1457.  
1458. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1459.  
1460. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1461.  
1462. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1463.  
1464. The authentication information fields provide detailed information about this specific logon request.
1465. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1466. - Transited services indicate which intermediate services have participated in this logon request.
1467. - Package name indicates which sub-protocol was used among the NTLM protocols.
1468. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1469. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
1470.  
1471. Subject:
1472. Security ID: NETWORK SERVICE
1473. Account Name: DESKTOP-TM5QNT2$
1474. Account Domain: WORKGROUP
1475. Logon ID: 0x3E4
1476.  
1477. Group:
1478. Security ID: BUILTIN\Administrators
1479. Group Name: Administrators
1480. Group Domain: Builtin
1481.  
1482. Process Information:
1483. Process ID: 0x87c
1484. Process Name: C:\Windows\System32\svchost.exe"
1485. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1486.  
1487. Subject:
1488. Security ID: SYSTEM
1489. Account Name: SYSTEM
1490. Account Domain: NT AUTHORITY
1491. Logon ID: 0x3E7
1492.  
1493. Privileges: SeAssignPrimaryTokenPrivilege
1494. SeTcbPrivilege
1495. SeSecurityPrivilege
1496. SeTakeOwnershipPrivilege
1497. SeLoadDriverPrivilege
1498. SeBackupPrivilege
1499. SeRestorePrivilege
1500. SeDebugPrivilege
1501. SeAuditPrivilege
1502. SeSystemEnvironmentPrivilege
1503. SeImpersonatePrivilege
1504. SeDelegateSessionUserImpersonatePrivilege"
1505. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1506.  
1507. Subject:
1508. Security ID: SYSTEM
1509. Account Name: DESKTOP-TM5QNT2$
1510. Account Domain: WORKGROUP
1511. Logon ID: 0x3E7
1512.  
1513. Logon Information:
1514. Logon Type: 5
1515. Restricted Admin Mode: -
1516. Virtual Account: No
1517. Elevated Token: Yes
1518.  
1519. Impersonation Level: Impersonation
1520.  
1521. New Logon:
1522. Security ID: SYSTEM
1523. Account Name: SYSTEM
1524. Account Domain: NT AUTHORITY
1525. Logon ID: 0x3E7
1526. Linked Logon ID: 0x0
1527. Network Account Name: -
1528. Network Account Domain: -
1529. Logon GUID: {00000000-0000-0000-0000-000000000000}
1530.  
1531. Process Information:
1532. Process ID: 0x2fc
1533. Process Name: C:\Windows\System32\services.exe
1534.  
1535. Network Information:
1536. Workstation Name: -
1537. Source Network Address: -
1538. Source Port: -
1539.  
1540. Detailed Authentication Information:
1541. Logon Process: Advapi
1542. Authentication Package: Negotiate
1543. Transited Services: -
1544. Package Name (NTLM only): -
1545. Key Length: 0
1546.  
1547. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1548.  
1549. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1550.  
1551. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1552.  
1553. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1554.  
1555. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1556.  
1557. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1558.  
1559. The authentication information fields provide detailed information about this specific logon request.
1560. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1561. - Transited services indicate which intermediate services have participated in this logon request.
1562. - Package name indicates which sub-protocol was used among the NTLM protocols.
1563. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1564. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1565.  
1566. Subject:
1567. Security ID: SYSTEM
1568. Account Name: SYSTEM
1569. Account Domain: NT AUTHORITY
1570. Logon ID: 0x3E7
1571.  
1572. Privileges: SeAssignPrimaryTokenPrivilege
1573. SeTcbPrivilege
1574. SeSecurityPrivilege
1575. SeTakeOwnershipPrivilege
1576. SeLoadDriverPrivilege
1577. SeBackupPrivilege
1578. SeRestorePrivilege
1579. SeDebugPrivilege
1580. SeAuditPrivilege
1581. SeSystemEnvironmentPrivilege
1582. SeImpersonatePrivilege
1583. SeDelegateSessionUserImpersonatePrivilege"
1584. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1585.  
1586. Subject:
1587. Security ID: SYSTEM
1588. Account Name: DESKTOP-TM5QNT2$
1589. Account Domain: WORKGROUP
1590. Logon ID: 0x3E7
1591.  
1592. Logon Information:
1593. Logon Type: 5
1594. Restricted Admin Mode: -
1595. Virtual Account: No
1596. Elevated Token: Yes
1597.  
1598. Impersonation Level: Impersonation
1599.  
1600. New Logon:
1601. Security ID: SYSTEM
1602. Account Name: SYSTEM
1603. Account Domain: NT AUTHORITY
1604. Logon ID: 0x3E7
1605. Linked Logon ID: 0x0
1606. Network Account Name: -
1607. Network Account Domain: -
1608. Logon GUID: {00000000-0000-0000-0000-000000000000}
1609.  
1610. Process Information:
1611. Process ID: 0x2fc
1612. Process Name: C:\Windows\System32\services.exe
1613.  
1614. Network Information:
1615. Workstation Name: -
1616. Source Network Address: -
1617. Source Port: -
1618.  
1619. Detailed Authentication Information:
1620. Logon Process: Advapi
1621. Authentication Package: Negotiate
1622. Transited Services: -
1623. Package Name (NTLM only): -
1624. Key Length: 0
1625.  
1626. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1627.  
1628. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1629.  
1630. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1631.  
1632. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1633.  
1634. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1635.  
1636. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1637.  
1638. The authentication information fields provide detailed information about this specific logon request.
1639. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1640. - Transited services indicate which intermediate services have participated in this logon request.
1641. - Package name indicates which sub-protocol was used among the NTLM protocols.
1642. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1643. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1644.  
1645. Subject:
1646. Security ID: SYSTEM
1647. Account Name: SYSTEM
1648. Account Domain: NT AUTHORITY
1649. Logon ID: 0x3E7
1650.  
1651. Privileges: SeAssignPrimaryTokenPrivilege
1652. SeTcbPrivilege
1653. SeSecurityPrivilege
1654. SeTakeOwnershipPrivilege
1655. SeLoadDriverPrivilege
1656. SeBackupPrivilege
1657. SeRestorePrivilege
1658. SeDebugPrivilege
1659. SeAuditPrivilege
1660. SeSystemEnvironmentPrivilege
1661. SeImpersonatePrivilege
1662. SeDelegateSessionUserImpersonatePrivilege"
1663. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1664.  
1665. Subject:
1666. Security ID: SYSTEM
1667. Account Name: DESKTOP-TM5QNT2$
1668. Account Domain: WORKGROUP
1669. Logon ID: 0x3E7
1670.  
1671. Logon Information:
1672. Logon Type: 5
1673. Restricted Admin Mode: -
1674. Virtual Account: No
1675. Elevated Token: Yes
1676.  
1677. Impersonation Level: Impersonation
1678.  
1679. New Logon:
1680. Security ID: SYSTEM
1681. Account Name: SYSTEM
1682. Account Domain: NT AUTHORITY
1683. Logon ID: 0x3E7
1684. Linked Logon ID: 0x0
1685. Network Account Name: -
1686. Network Account Domain: -
1687. Logon GUID: {00000000-0000-0000-0000-000000000000}
1688.  
1689. Process Information:
1690. Process ID: 0x2fc
1691. Process Name: C:\Windows\System32\services.exe
1692.  
1693. Network Information:
1694. Workstation Name: -
1695. Source Network Address: -
1696. Source Port: -
1697.  
1698. Detailed Authentication Information:
1699. Logon Process: Advapi
1700. Authentication Package: Negotiate
1701. Transited Services: -
1702. Package Name (NTLM only): -
1703. Key Length: 0
1704.  
1705. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1706.  
1707. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1708.  
1709. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1710.  
1711. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1712.  
1713. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1714.  
1715. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1716.  
1717. The authentication information fields provide detailed information about this specific logon request.
1718. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1719. - Transited services indicate which intermediate services have participated in this logon request.
1720. - Package name indicates which sub-protocol was used among the NTLM protocols.
1721. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1722. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1723.  
1724. Subject:
1725. Security ID: SYSTEM
1726. Account Name: SYSTEM
1727. Account Domain: NT AUTHORITY
1728. Logon ID: 0x3E7
1729.  
1730. Privileges: SeAssignPrimaryTokenPrivilege
1731. SeTcbPrivilege
1732. SeSecurityPrivilege
1733. SeTakeOwnershipPrivilege
1734. SeLoadDriverPrivilege
1735. SeBackupPrivilege
1736. SeRestorePrivilege
1737. SeDebugPrivilege
1738. SeAuditPrivilege
1739. SeSystemEnvironmentPrivilege
1740. SeImpersonatePrivilege
1741. SeDelegateSessionUserImpersonatePrivilege"
1742. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1743.  
1744. Subject:
1745. Security ID: SYSTEM
1746. Account Name: DESKTOP-TM5QNT2$
1747. Account Domain: WORKGROUP
1748. Logon ID: 0x3E7
1749.  
1750. Logon Information:
1751. Logon Type: 5
1752. Restricted Admin Mode: -
1753. Virtual Account: No
1754. Elevated Token: Yes
1755.  
1756. Impersonation Level: Impersonation
1757.  
1758. New Logon:
1759. Security ID: SYSTEM
1760. Account Name: SYSTEM
1761. Account Domain: NT AUTHORITY
1762. Logon ID: 0x3E7
1763. Linked Logon ID: 0x0
1764. Network Account Name: -
1765. Network Account Domain: -
1766. Logon GUID: {00000000-0000-0000-0000-000000000000}
1767.  
1768. Process Information:
1769. Process ID: 0x2fc
1770. Process Name: C:\Windows\System32\services.exe
1771.  
1772. Network Information:
1773. Workstation Name: -
1774. Source Network Address: -
1775. Source Port: -
1776.  
1777. Detailed Authentication Information:
1778. Logon Process: Advapi
1779. Authentication Package: Negotiate
1780. Transited Services: -
1781. Package Name (NTLM only): -
1782. Key Length: 0
1783.  
1784. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1785.  
1786. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1787.  
1788. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1789.  
1790. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1791.  
1792. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1793.  
1794. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1795.  
1796. The authentication information fields provide detailed information about this specific logon request.
1797. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1798. - Transited services indicate which intermediate services have participated in this logon request.
1799. - Package name indicates which sub-protocol was used among the NTLM protocols.
1800. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1801. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1802.  
1803. Subject:
1804. Security ID: SYSTEM
1805. Account Name: SYSTEM
1806. Account Domain: NT AUTHORITY
1807. Logon ID: 0x3E7
1808.  
1809. Privileges: SeAssignPrimaryTokenPrivilege
1810. SeTcbPrivilege
1811. SeSecurityPrivilege
1812. SeTakeOwnershipPrivilege
1813. SeLoadDriverPrivilege
1814. SeBackupPrivilege
1815. SeRestorePrivilege
1816. SeDebugPrivilege
1817. SeAuditPrivilege
1818. SeSystemEnvironmentPrivilege
1819. SeImpersonatePrivilege
1820. SeDelegateSessionUserImpersonatePrivilege"
1821. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1822.  
1823. Subject:
1824. Security ID: SYSTEM
1825. Account Name: DESKTOP-TM5QNT2$
1826. Account Domain: WORKGROUP
1827. Logon ID: 0x3E7
1828.  
1829. Logon Information:
1830. Logon Type: 5
1831. Restricted Admin Mode: -
1832. Virtual Account: No
1833. Elevated Token: Yes
1834.  
1835. Impersonation Level: Impersonation
1836.  
1837. New Logon:
1838. Security ID: SYSTEM
1839. Account Name: SYSTEM
1840. Account Domain: NT AUTHORITY
1841. Logon ID: 0x3E7
1842. Linked Logon ID: 0x0
1843. Network Account Name: -
1844. Network Account Domain: -
1845. Logon GUID: {00000000-0000-0000-0000-000000000000}
1846.  
1847. Process Information:
1848. Process ID: 0x2fc
1849. Process Name: C:\Windows\System32\services.exe
1850.  
1851. Network Information:
1852. Workstation Name: -
1853. Source Network Address: -
1854. Source Port: -
1855.  
1856. Detailed Authentication Information:
1857. Logon Process: Advapi
1858. Authentication Package: Negotiate
1859. Transited Services: -
1860. Package Name (NTLM only): -
1861. Key Length: 0
1862.  
1863. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1864.  
1865. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1866.  
1867. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1868.  
1869. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1870.  
1871. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1872.  
1873. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1874.  
1875. The authentication information fields provide detailed information about this specific logon request.
1876. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1877. - Transited services indicate which intermediate services have participated in this logon request.
1878. - Package name indicates which sub-protocol was used among the NTLM protocols.
1879. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1880. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1881.  
1882. Subject:
1883. Security ID: SYSTEM
1884. Account Name: SYSTEM
1885. Account Domain: NT AUTHORITY
1886. Logon ID: 0x3E7
1887.  
1888. Privileges: SeAssignPrimaryTokenPrivilege
1889. SeTcbPrivilege
1890. SeSecurityPrivilege
1891. SeTakeOwnershipPrivilege
1892. SeLoadDriverPrivilege
1893. SeBackupPrivilege
1894. SeRestorePrivilege
1895. SeDebugPrivilege
1896. SeAuditPrivilege
1897. SeSystemEnvironmentPrivilege
1898. SeImpersonatePrivilege
1899. SeDelegateSessionUserImpersonatePrivilege"
1900. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1901.  
1902. Subject:
1903. Security ID: SYSTEM
1904. Account Name: DESKTOP-TM5QNT2$
1905. Account Domain: WORKGROUP
1906. Logon ID: 0x3E7
1907.  
1908. Logon Information:
1909. Logon Type: 5
1910. Restricted Admin Mode: -
1911. Virtual Account: No
1912. Elevated Token: Yes
1913.  
1914. Impersonation Level: Impersonation
1915.  
1916. New Logon:
1917. Security ID: SYSTEM
1918. Account Name: SYSTEM
1919. Account Domain: NT AUTHORITY
1920. Logon ID: 0x3E7
1921. Linked Logon ID: 0x0
1922. Network Account Name: -
1923. Network Account Domain: -
1924. Logon GUID: {00000000-0000-0000-0000-000000000000}
1925.  
1926. Process Information:
1927. Process ID: 0x2fc
1928. Process Name: C:\Windows\System32\services.exe
1929.  
1930. Network Information:
1931. Workstation Name: -
1932. Source Network Address: -
1933. Source Port: -
1934.  
1935. Detailed Authentication Information:
1936. Logon Process: Advapi
1937. Authentication Package: Negotiate
1938. Transited Services: -
1939. Package Name (NTLM only): -
1940. Key Length: 0
1941.  
1942. This event is generated when a logon session is created. It is generated on the computer that was accessed.
1943.  
1944. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
1945.  
1946. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
1947.  
1948. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
1949.  
1950. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
1951.  
1952. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
1953.  
1954. The authentication information fields provide detailed information about this specific logon request.
1955. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
1956. - Transited services indicate which intermediate services have participated in this logon request.
1957. - Package name indicates which sub-protocol was used among the NTLM protocols.
1958. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
1959. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
1960.  
1961. Subject:
1962. Security ID: SYSTEM
1963. Account Name: SYSTEM
1964. Account Domain: NT AUTHORITY
1965. Logon ID: 0x3E7
1966.  
1967. Privileges: SeAssignPrimaryTokenPrivilege
1968. SeTcbPrivilege
1969. SeSecurityPrivilege
1970. SeTakeOwnershipPrivilege
1971. SeLoadDriverPrivilege
1972. SeBackupPrivilege
1973. SeRestorePrivilege
1974. SeDebugPrivilege
1975. SeAuditPrivilege
1976. SeSystemEnvironmentPrivilege
1977. SeImpersonatePrivilege
1978. SeDelegateSessionUserImpersonatePrivilege"
1979. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
1980.  
1981. Subject:
1982. Security ID: SYSTEM
1983. Account Name: DESKTOP-TM5QNT2$
1984. Account Domain: WORKGROUP
1985. Logon ID: 0x3E7
1986.  
1987. Logon Information:
1988. Logon Type: 5
1989. Restricted Admin Mode: -
1990. Virtual Account: No
1991. Elevated Token: Yes
1992.  
1993. Impersonation Level: Impersonation
1994.  
1995. New Logon:
1996. Security ID: SYSTEM
1997. Account Name: SYSTEM
1998. Account Domain: NT AUTHORITY
1999. Logon ID: 0x3E7
2000. Linked Logon ID: 0x0
2001. Network Account Name: -
2002. Network Account Domain: -
2003. Logon GUID: {00000000-0000-0000-0000-000000000000}
2004.  
2005. Process Information:
2006. Process ID: 0x2fc
2007. Process Name: C:\Windows\System32\services.exe
2008.  
2009. Network Information:
2010. Workstation Name: -
2011. Source Network Address: -
2012. Source Port: -
2013.  
2014. Detailed Authentication Information:
2015. Logon Process: Advapi
2016. Authentication Package: Negotiate
2017. Transited Services: -
2018. Package Name (NTLM only): -
2019. Key Length: 0
2020.  
2021. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2022.  
2023. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2024.  
2025. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2026.  
2027. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2028.  
2029. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2030.  
2031. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2032.  
2033. The authentication information fields provide detailed information about this specific logon request.
2034. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2035. - Transited services indicate which intermediate services have participated in this logon request.
2036. - Package name indicates which sub-protocol was used among the NTLM protocols.
2037. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2038. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2039.  
2040. Subject:
2041. Security ID: SYSTEM
2042. Account Name: SYSTEM
2043. Account Domain: NT AUTHORITY
2044. Logon ID: 0x3E7
2045.  
2046. Privileges: SeAssignPrimaryTokenPrivilege
2047. SeTcbPrivilege
2048. SeSecurityPrivilege
2049. SeTakeOwnershipPrivilege
2050. SeLoadDriverPrivilege
2051. SeBackupPrivilege
2052. SeRestorePrivilege
2053. SeDebugPrivilege
2054. SeAuditPrivilege
2055. SeSystemEnvironmentPrivilege
2056. SeImpersonatePrivilege
2057. SeDelegateSessionUserImpersonatePrivilege"
2058. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2059.  
2060. Subject:
2061. Security ID: SYSTEM
2062. Account Name: DESKTOP-TM5QNT2$
2063. Account Domain: WORKGROUP
2064. Logon ID: 0x3E7
2065.  
2066. Logon Information:
2067. Logon Type: 5
2068. Restricted Admin Mode: -
2069. Virtual Account: No
2070. Elevated Token: Yes
2071.  
2072. Impersonation Level: Impersonation
2073.  
2074. New Logon:
2075. Security ID: SYSTEM
2076. Account Name: SYSTEM
2077. Account Domain: NT AUTHORITY
2078. Logon ID: 0x3E7
2079. Linked Logon ID: 0x0
2080. Network Account Name: -
2081. Network Account Domain: -
2082. Logon GUID: {00000000-0000-0000-0000-000000000000}
2083.  
2084. Process Information:
2085. Process ID: 0x2fc
2086. Process Name: C:\Windows\System32\services.exe
2087.  
2088. Network Information:
2089. Workstation Name: -
2090. Source Network Address: -
2091. Source Port: -
2092.  
2093. Detailed Authentication Information:
2094. Logon Process: Advapi
2095. Authentication Package: Negotiate
2096. Transited Services: -
2097. Package Name (NTLM only): -
2098. Key Length: 0
2099.  
2100. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2101.  
2102. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2103.  
2104. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2105.  
2106. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2107.  
2108. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2109.  
2110. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2111.  
2112. The authentication information fields provide detailed information about this specific logon request.
2113. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2114. - Transited services indicate which intermediate services have participated in this logon request.
2115. - Package name indicates which sub-protocol was used among the NTLM protocols.
2116. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2117. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2118.  
2119. Subject:
2120. Security ID: SYSTEM
2121. Account Name: SYSTEM
2122. Account Domain: NT AUTHORITY
2123. Logon ID: 0x3E7
2124.  
2125. Privileges: SeAssignPrimaryTokenPrivilege
2126. SeTcbPrivilege
2127. SeSecurityPrivilege
2128. SeTakeOwnershipPrivilege
2129. SeLoadDriverPrivilege
2130. SeBackupPrivilege
2131. SeRestorePrivilege
2132. SeDebugPrivilege
2133. SeAuditPrivilege
2134. SeSystemEnvironmentPrivilege
2135. SeImpersonatePrivilege
2136. SeDelegateSessionUserImpersonatePrivilege"
2137. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2138.  
2139. Subject:
2140. Security ID: SYSTEM
2141. Account Name: DESKTOP-TM5QNT2$
2142. Account Domain: WORKGROUP
2143. Logon ID: 0x3E7
2144.  
2145. Logon Information:
2146. Logon Type: 5
2147. Restricted Admin Mode: -
2148. Virtual Account: No
2149. Elevated Token: Yes
2150.  
2151. Impersonation Level: Impersonation
2152.  
2153. New Logon:
2154. Security ID: SYSTEM
2155. Account Name: SYSTEM
2156. Account Domain: NT AUTHORITY
2157. Logon ID: 0x3E7
2158. Linked Logon ID: 0x0
2159. Network Account Name: -
2160. Network Account Domain: -
2161. Logon GUID: {00000000-0000-0000-0000-000000000000}
2162.  
2163. Process Information:
2164. Process ID: 0x2fc
2165. Process Name: C:\Windows\System32\services.exe
2166.  
2167. Network Information:
2168. Workstation Name: -
2169. Source Network Address: -
2170. Source Port: -
2171.  
2172. Detailed Authentication Information:
2173. Logon Process: Advapi
2174. Authentication Package: Negotiate
2175. Transited Services: -
2176. Package Name (NTLM only): -
2177. Key Length: 0
2178.  
2179. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2180.  
2181. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2182.  
2183. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2184.  
2185. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2186.  
2187. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2188.  
2189. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2190.  
2191. The authentication information fields provide detailed information about this specific logon request.
2192. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2193. - Transited services indicate which intermediate services have participated in this logon request.
2194. - Package name indicates which sub-protocol was used among the NTLM protocols.
2195. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2196. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2197.  
2198. Subject:
2199. Security ID: SYSTEM
2200. Account Name: SYSTEM
2201. Account Domain: NT AUTHORITY
2202. Logon ID: 0x3E7
2203.  
2204. Privileges: SeAssignPrimaryTokenPrivilege
2205. SeTcbPrivilege
2206. SeSecurityPrivilege
2207. SeTakeOwnershipPrivilege
2208. SeLoadDriverPrivilege
2209. SeBackupPrivilege
2210. SeRestorePrivilege
2211. SeDebugPrivilege
2212. SeAuditPrivilege
2213. SeSystemEnvironmentPrivilege
2214. SeImpersonatePrivilege
2215. SeDelegateSessionUserImpersonatePrivilege"
2216. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2217.  
2218. Subject:
2219. Security ID: SYSTEM
2220. Account Name: DESKTOP-TM5QNT2$
2221. Account Domain: WORKGROUP
2222. Logon ID: 0x3E7
2223.  
2224. Logon Information:
2225. Logon Type: 5
2226. Restricted Admin Mode: -
2227. Virtual Account: No
2228. Elevated Token: Yes
2229.  
2230. Impersonation Level: Impersonation
2231.  
2232. New Logon:
2233. Security ID: SYSTEM
2234. Account Name: SYSTEM
2235. Account Domain: NT AUTHORITY
2236. Logon ID: 0x3E7
2237. Linked Logon ID: 0x0
2238. Network Account Name: -
2239. Network Account Domain: -
2240. Logon GUID: {00000000-0000-0000-0000-000000000000}
2241.  
2242. Process Information:
2243. Process ID: 0x2fc
2244. Process Name: C:\Windows\System32\services.exe
2245.  
2246. Network Information:
2247. Workstation Name: -
2248. Source Network Address: -
2249. Source Port: -
2250.  
2251. Detailed Authentication Information:
2252. Logon Process: Advapi
2253. Authentication Package: Negotiate
2254. Transited Services: -
2255. Package Name (NTLM only): -
2256. Key Length: 0
2257.  
2258. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2259.  
2260. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2261.  
2262. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2263.  
2264. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2265.  
2266. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2267.  
2268. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2269.  
2270. The authentication information fields provide detailed information about this specific logon request.
2271. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2272. - Transited services indicate which intermediate services have participated in this logon request.
2273. - Package name indicates which sub-protocol was used among the NTLM protocols.
2274. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2275. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2276.  
2277. Subject:
2278. Security ID: SYSTEM
2279. Account Name: SYSTEM
2280. Account Domain: NT AUTHORITY
2281. Logon ID: 0x3E7
2282.  
2283. Privileges: SeAssignPrimaryTokenPrivilege
2284. SeTcbPrivilege
2285. SeSecurityPrivilege
2286. SeTakeOwnershipPrivilege
2287. SeLoadDriverPrivilege
2288. SeBackupPrivilege
2289. SeRestorePrivilege
2290. SeDebugPrivilege
2291. SeAuditPrivilege
2292. SeSystemEnvironmentPrivilege
2293. SeImpersonatePrivilege
2294. SeDelegateSessionUserImpersonatePrivilege"
2295. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2296.  
2297. Subject:
2298. Security ID: SYSTEM
2299. Account Name: DESKTOP-TM5QNT2$
2300. Account Domain: WORKGROUP
2301. Logon ID: 0x3E7
2302.  
2303. Logon Information:
2304. Logon Type: 5
2305. Restricted Admin Mode: -
2306. Virtual Account: No
2307. Elevated Token: Yes
2308.  
2309. Impersonation Level: Impersonation
2310.  
2311. New Logon:
2312. Security ID: SYSTEM
2313. Account Name: SYSTEM
2314. Account Domain: NT AUTHORITY
2315. Logon ID: 0x3E7
2316. Linked Logon ID: 0x0
2317. Network Account Name: -
2318. Network Account Domain: -
2319. Logon GUID: {00000000-0000-0000-0000-000000000000}
2320.  
2321. Process Information:
2322. Process ID: 0x2fc
2323. Process Name: C:\Windows\System32\services.exe
2324.  
2325. Network Information:
2326. Workstation Name: -
2327. Source Network Address: -
2328. Source Port: -
2329.  
2330. Detailed Authentication Information:
2331. Logon Process: Advapi
2332. Authentication Package: Negotiate
2333. Transited Services: -
2334. Package Name (NTLM only): -
2335. Key Length: 0
2336.  
2337. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2338.  
2339. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2340.  
2341. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2342.  
2343. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2344.  
2345. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2346.  
2347. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2348.  
2349. The authentication information fields provide detailed information about this specific logon request.
2350. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2351. - Transited services indicate which intermediate services have participated in this logon request.
2352. - Package name indicates which sub-protocol was used among the NTLM protocols.
2353. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2354. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2355.  
2356. Subject:
2357. Security ID: SYSTEM
2358. Account Name: SYSTEM
2359. Account Domain: NT AUTHORITY
2360. Logon ID: 0x3E7
2361.  
2362. Privileges: SeAssignPrimaryTokenPrivilege
2363. SeTcbPrivilege
2364. SeSecurityPrivilege
2365. SeTakeOwnershipPrivilege
2366. SeLoadDriverPrivilege
2367. SeBackupPrivilege
2368. SeRestorePrivilege
2369. SeDebugPrivilege
2370. SeAuditPrivilege
2371. SeSystemEnvironmentPrivilege
2372. SeImpersonatePrivilege
2373. SeDelegateSessionUserImpersonatePrivilege"
2374. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2375.  
2376. Subject:
2377. Security ID: SYSTEM
2378. Account Name: DESKTOP-TM5QNT2$
2379. Account Domain: WORKGROUP
2380. Logon ID: 0x3E7
2381.  
2382. Logon Information:
2383. Logon Type: 5
2384. Restricted Admin Mode: -
2385. Virtual Account: No
2386. Elevated Token: Yes
2387.  
2388. Impersonation Level: Impersonation
2389.  
2390. New Logon:
2391. Security ID: SYSTEM
2392. Account Name: SYSTEM
2393. Account Domain: NT AUTHORITY
2394. Logon ID: 0x3E7
2395. Linked Logon ID: 0x0
2396. Network Account Name: -
2397. Network Account Domain: -
2398. Logon GUID: {00000000-0000-0000-0000-000000000000}
2399.  
2400. Process Information:
2401. Process ID: 0x2fc
2402. Process Name: C:\Windows\System32\services.exe
2403.  
2404. Network Information:
2405. Workstation Name: -
2406. Source Network Address: -
2407. Source Port: -
2408.  
2409. Detailed Authentication Information:
2410. Logon Process: Advapi
2411. Authentication Package: Negotiate
2412. Transited Services: -
2413. Package Name (NTLM only): -
2414. Key Length: 0
2415.  
2416. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2417.  
2418. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2419.  
2420. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2421.  
2422. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2423.  
2424. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2425.  
2426. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2427.  
2428. The authentication information fields provide detailed information about this specific logon request.
2429. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2430. - Transited services indicate which intermediate services have participated in this logon request.
2431. - Package name indicates which sub-protocol was used among the NTLM protocols.
2432. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2433. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
2434. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2435.  
2436. Subject:
2437. Security ID: SYSTEM
2438. Account Name: SYSTEM
2439. Account Domain: NT AUTHORITY
2440. Logon ID: 0x3E7
2441.  
2442. Privileges: SeAssignPrimaryTokenPrivilege
2443. SeTcbPrivilege
2444. SeSecurityPrivilege
2445. SeTakeOwnershipPrivilege
2446. SeLoadDriverPrivilege
2447. SeBackupPrivilege
2448. SeRestorePrivilege
2449. SeDebugPrivilege
2450. SeAuditPrivilege
2451. SeSystemEnvironmentPrivilege
2452. SeImpersonatePrivilege
2453. SeDelegateSessionUserImpersonatePrivilege"
2454. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2455.  
2456. Subject:
2457. Security ID: SYSTEM
2458. Account Name: DESKTOP-TM5QNT2$
2459. Account Domain: WORKGROUP
2460. Logon ID: 0x3E7
2461.  
2462. Logon Information:
2463. Logon Type: 5
2464. Restricted Admin Mode: -
2465. Virtual Account: No
2466. Elevated Token: Yes
2467.  
2468. Impersonation Level: Impersonation
2469.  
2470. New Logon:
2471. Security ID: SYSTEM
2472. Account Name: SYSTEM
2473. Account Domain: NT AUTHORITY
2474. Logon ID: 0x3E7
2475. Linked Logon ID: 0x0
2476. Network Account Name: -
2477. Network Account Domain: -
2478. Logon GUID: {00000000-0000-0000-0000-000000000000}
2479.  
2480. Process Information:
2481. Process ID: 0x2fc
2482. Process Name: C:\Windows\System32\services.exe
2483.  
2484. Network Information:
2485. Workstation Name: -
2486. Source Network Address: -
2487. Source Port: -
2488.  
2489. Detailed Authentication Information:
2490. Logon Process: Advapi
2491. Authentication Package: Negotiate
2492. Transited Services: -
2493. Package Name (NTLM only): -
2494. Key Length: 0
2495.  
2496. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2497.  
2498. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2499.  
2500. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2501.  
2502. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2503.  
2504. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2505.  
2506. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2507.  
2508. The authentication information fields provide detailed information about this specific logon request.
2509. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2510. - Transited services indicate which intermediate services have participated in this logon request.
2511. - Package name indicates which sub-protocol was used among the NTLM protocols.
2512. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2513. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2514.  
2515. Subject:
2516. Security ID: SYSTEM
2517. Account Name: SYSTEM
2518. Account Domain: NT AUTHORITY
2519. Logon ID: 0x3E7
2520.  
2521. Privileges: SeAssignPrimaryTokenPrivilege
2522. SeTcbPrivilege
2523. SeSecurityPrivilege
2524. SeTakeOwnershipPrivilege
2525. SeLoadDriverPrivilege
2526. SeBackupPrivilege
2527. SeRestorePrivilege
2528. SeDebugPrivilege
2529. SeAuditPrivilege
2530. SeSystemEnvironmentPrivilege
2531. SeImpersonatePrivilege
2532. SeDelegateSessionUserImpersonatePrivilege"
2533. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2534.  
2535. Subject:
2536. Security ID: SYSTEM
2537. Account Name: DESKTOP-TM5QNT2$
2538. Account Domain: WORKGROUP
2539. Logon ID: 0x3E7
2540.  
2541. Logon Information:
2542. Logon Type: 5
2543. Restricted Admin Mode: -
2544. Virtual Account: No
2545. Elevated Token: Yes
2546.  
2547. Impersonation Level: Impersonation
2548.  
2549. New Logon:
2550. Security ID: SYSTEM
2551. Account Name: SYSTEM
2552. Account Domain: NT AUTHORITY
2553. Logon ID: 0x3E7
2554. Linked Logon ID: 0x0
2555. Network Account Name: -
2556. Network Account Domain: -
2557. Logon GUID: {00000000-0000-0000-0000-000000000000}
2558.  
2559. Process Information:
2560. Process ID: 0x2fc
2561. Process Name: C:\Windows\System32\services.exe
2562.  
2563. Network Information:
2564. Workstation Name: -
2565. Source Network Address: -
2566. Source Port: -
2567.  
2568. Detailed Authentication Information:
2569. Logon Process: Advapi
2570. Authentication Package: Negotiate
2571. Transited Services: -
2572. Package Name (NTLM only): -
2573. Key Length: 0
2574.  
2575. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2576.  
2577. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2578.  
2579. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2580.  
2581. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2582.  
2583. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2584.  
2585. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2586.  
2587. The authentication information fields provide detailed information about this specific logon request.
2588. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2589. - Transited services indicate which intermediate services have participated in this logon request.
2590. - Package name indicates which sub-protocol was used among the NTLM protocols.
2591. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2592. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2593.  
2594. Subject:
2595. Security ID: SYSTEM
2596. Account Name: SYSTEM
2597. Account Domain: NT AUTHORITY
2598. Logon ID: 0x3E7
2599.  
2600. Privileges: SeAssignPrimaryTokenPrivilege
2601. SeTcbPrivilege
2602. SeSecurityPrivilege
2603. SeTakeOwnershipPrivilege
2604. SeLoadDriverPrivilege
2605. SeBackupPrivilege
2606. SeRestorePrivilege
2607. SeDebugPrivilege
2608. SeAuditPrivilege
2609. SeSystemEnvironmentPrivilege
2610. SeImpersonatePrivilege
2611. SeDelegateSessionUserImpersonatePrivilege"
2612. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2613.  
2614. Subject:
2615. Security ID: SYSTEM
2616. Account Name: DESKTOP-TM5QNT2$
2617. Account Domain: WORKGROUP
2618. Logon ID: 0x3E7
2619.  
2620. Logon Information:
2621. Logon Type: 5
2622. Restricted Admin Mode: -
2623. Virtual Account: No
2624. Elevated Token: Yes
2625.  
2626. Impersonation Level: Impersonation
2627.  
2628. New Logon:
2629. Security ID: SYSTEM
2630. Account Name: SYSTEM
2631. Account Domain: NT AUTHORITY
2632. Logon ID: 0x3E7
2633. Linked Logon ID: 0x0
2634. Network Account Name: -
2635. Network Account Domain: -
2636. Logon GUID: {00000000-0000-0000-0000-000000000000}
2637.  
2638. Process Information:
2639. Process ID: 0x2fc
2640. Process Name: C:\Windows\System32\services.exe
2641.  
2642. Network Information:
2643. Workstation Name: -
2644. Source Network Address: -
2645. Source Port: -
2646.  
2647. Detailed Authentication Information:
2648. Logon Process: Advapi
2649. Authentication Package: Negotiate
2650. Transited Services: -
2651. Package Name (NTLM only): -
2652. Key Length: 0
2653.  
2654. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2655.  
2656. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2657.  
2658. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2659.  
2660. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2661.  
2662. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2663.  
2664. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2665.  
2666. The authentication information fields provide detailed information about this specific logon request.
2667. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2668. - Transited services indicate which intermediate services have participated in this logon request.
2669. - Package name indicates which sub-protocol was used among the NTLM protocols.
2670. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2671. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2672.  
2673. Subject:
2674. Security ID: SYSTEM
2675. Account Name: SYSTEM
2676. Account Domain: NT AUTHORITY
2677. Logon ID: 0x3E7
2678.  
2679. Privileges: SeAssignPrimaryTokenPrivilege
2680. SeTcbPrivilege
2681. SeSecurityPrivilege
2682. SeTakeOwnershipPrivilege
2683. SeLoadDriverPrivilege
2684. SeBackupPrivilege
2685. SeRestorePrivilege
2686. SeDebugPrivilege
2687. SeAuditPrivilege
2688. SeSystemEnvironmentPrivilege
2689. SeImpersonatePrivilege
2690. SeDelegateSessionUserImpersonatePrivilege"
2691. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2692.  
2693. Subject:
2694. Security ID: SYSTEM
2695. Account Name: DESKTOP-TM5QNT2$
2696. Account Domain: WORKGROUP
2697. Logon ID: 0x3E7
2698.  
2699. Logon Information:
2700. Logon Type: 5
2701. Restricted Admin Mode: -
2702. Virtual Account: No
2703. Elevated Token: Yes
2704.  
2705. Impersonation Level: Impersonation
2706.  
2707. New Logon:
2708. Security ID: SYSTEM
2709. Account Name: SYSTEM
2710. Account Domain: NT AUTHORITY
2711. Logon ID: 0x3E7
2712. Linked Logon ID: 0x0
2713. Network Account Name: -
2714. Network Account Domain: -
2715. Logon GUID: {00000000-0000-0000-0000-000000000000}
2716.  
2717. Process Information:
2718. Process ID: 0x2fc
2719. Process Name: C:\Windows\System32\services.exe
2720.  
2721. Network Information:
2722. Workstation Name: -
2723. Source Network Address: -
2724. Source Port: -
2725.  
2726. Detailed Authentication Information:
2727. Logon Process: Advapi
2728. Authentication Package: Negotiate
2729. Transited Services: -
2730. Package Name (NTLM only): -
2731. Key Length: 0
2732.  
2733. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2734.  
2735. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2736.  
2737. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2738.  
2739. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2740.  
2741. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2742.  
2743. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2744.  
2745. The authentication information fields provide detailed information about this specific logon request.
2746. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2747. - Transited services indicate which intermediate services have participated in this logon request.
2748. - Package name indicates which sub-protocol was used among the NTLM protocols.
2749. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2750. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2751.  
2752. Subject:
2753. Security ID: SYSTEM
2754. Account Name: SYSTEM
2755. Account Domain: NT AUTHORITY
2756. Logon ID: 0x3E7
2757.  
2758. Privileges: SeAssignPrimaryTokenPrivilege
2759. SeTcbPrivilege
2760. SeSecurityPrivilege
2761. SeTakeOwnershipPrivilege
2762. SeLoadDriverPrivilege
2763. SeBackupPrivilege
2764. SeRestorePrivilege
2765. SeDebugPrivilege
2766. SeAuditPrivilege
2767. SeSystemEnvironmentPrivilege
2768. SeImpersonatePrivilege
2769. SeDelegateSessionUserImpersonatePrivilege"
2770. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2771.  
2772. Subject:
2773. Security ID: SYSTEM
2774. Account Name: DESKTOP-TM5QNT2$
2775. Account Domain: WORKGROUP
2776. Logon ID: 0x3E7
2777.  
2778. Logon Information:
2779. Logon Type: 5
2780. Restricted Admin Mode: -
2781. Virtual Account: No
2782. Elevated Token: Yes
2783.  
2784. Impersonation Level: Impersonation
2785.  
2786. New Logon:
2787. Security ID: SYSTEM
2788. Account Name: SYSTEM
2789. Account Domain: NT AUTHORITY
2790. Logon ID: 0x3E7
2791. Linked Logon ID: 0x0
2792. Network Account Name: -
2793. Network Account Domain: -
2794. Logon GUID: {00000000-0000-0000-0000-000000000000}
2795.  
2796. Process Information:
2797. Process ID: 0x2fc
2798. Process Name: C:\Windows\System32\services.exe
2799.  
2800. Network Information:
2801. Workstation Name: -
2802. Source Network Address: -
2803. Source Port: -
2804.  
2805. Detailed Authentication Information:
2806. Logon Process: Advapi
2807. Authentication Package: Negotiate
2808. Transited Services: -
2809. Package Name (NTLM only): -
2810. Key Length: 0
2811.  
2812. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2813.  
2814. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2815.  
2816. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2817.  
2818. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2819.  
2820. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2821.  
2822. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2823.  
2824. The authentication information fields provide detailed information about this specific logon request.
2825. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2826. - Transited services indicate which intermediate services have participated in this logon request.
2827. - Package name indicates which sub-protocol was used among the NTLM protocols.
2828. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2829. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2830.  
2831. Subject:
2832. Security ID: SYSTEM
2833. Account Name: SYSTEM
2834. Account Domain: NT AUTHORITY
2835. Logon ID: 0x3E7
2836.  
2837. Privileges: SeAssignPrimaryTokenPrivilege
2838. SeTcbPrivilege
2839. SeSecurityPrivilege
2840. SeTakeOwnershipPrivilege
2841. SeLoadDriverPrivilege
2842. SeBackupPrivilege
2843. SeRestorePrivilege
2844. SeDebugPrivilege
2845. SeAuditPrivilege
2846. SeSystemEnvironmentPrivilege
2847. SeImpersonatePrivilege
2848. SeDelegateSessionUserImpersonatePrivilege"
2849. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2850.  
2851. Subject:
2852. Security ID: SYSTEM
2853. Account Name: DESKTOP-TM5QNT2$
2854. Account Domain: WORKGROUP
2855. Logon ID: 0x3E7
2856.  
2857. Logon Information:
2858. Logon Type: 5
2859. Restricted Admin Mode: -
2860. Virtual Account: No
2861. Elevated Token: Yes
2862.  
2863. Impersonation Level: Impersonation
2864.  
2865. New Logon:
2866. Security ID: SYSTEM
2867. Account Name: SYSTEM
2868. Account Domain: NT AUTHORITY
2869. Logon ID: 0x3E7
2870. Linked Logon ID: 0x0
2871. Network Account Name: -
2872. Network Account Domain: -
2873. Logon GUID: {00000000-0000-0000-0000-000000000000}
2874.  
2875. Process Information:
2876. Process ID: 0x2fc
2877. Process Name: C:\Windows\System32\services.exe
2878.  
2879. Network Information:
2880. Workstation Name: -
2881. Source Network Address: -
2882. Source Port: -
2883.  
2884. Detailed Authentication Information:
2885. Logon Process: Advapi
2886. Authentication Package: Negotiate
2887. Transited Services: -
2888. Package Name (NTLM only): -
2889. Key Length: 0
2890.  
2891. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2892.  
2893. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2894.  
2895. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2896.  
2897. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2898.  
2899. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2900.  
2901. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2902.  
2903. The authentication information fields provide detailed information about this specific logon request.
2904. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2905. - Transited services indicate which intermediate services have participated in this logon request.
2906. - Package name indicates which sub-protocol was used among the NTLM protocols.
2907. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2908. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2909.  
2910. Subject:
2911. Security ID: SYSTEM
2912. Account Name: SYSTEM
2913. Account Domain: NT AUTHORITY
2914. Logon ID: 0x3E7
2915.  
2916. Privileges: SeAssignPrimaryTokenPrivilege
2917. SeTcbPrivilege
2918. SeSecurityPrivilege
2919. SeTakeOwnershipPrivilege
2920. SeLoadDriverPrivilege
2921. SeBackupPrivilege
2922. SeRestorePrivilege
2923. SeDebugPrivilege
2924. SeAuditPrivilege
2925. SeSystemEnvironmentPrivilege
2926. SeImpersonatePrivilege
2927. SeDelegateSessionUserImpersonatePrivilege"
2928. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
2929.  
2930. Subject:
2931. Security ID: SYSTEM
2932. Account Name: DESKTOP-TM5QNT2$
2933. Account Domain: WORKGROUP
2934. Logon ID: 0x3E7
2935.  
2936. Logon Information:
2937. Logon Type: 5
2938. Restricted Admin Mode: -
2939. Virtual Account: No
2940. Elevated Token: Yes
2941.  
2942. Impersonation Level: Impersonation
2943.  
2944. New Logon:
2945. Security ID: SYSTEM
2946. Account Name: SYSTEM
2947. Account Domain: NT AUTHORITY
2948. Logon ID: 0x3E7
2949. Linked Logon ID: 0x0
2950. Network Account Name: -
2951. Network Account Domain: -
2952. Logon GUID: {00000000-0000-0000-0000-000000000000}
2953.  
2954. Process Information:
2955. Process ID: 0x2fc
2956. Process Name: C:\Windows\System32\services.exe
2957.  
2958. Network Information:
2959. Workstation Name: -
2960. Source Network Address: -
2961. Source Port: -
2962.  
2963. Detailed Authentication Information:
2964. Logon Process: Advapi
2965. Authentication Package: Negotiate
2966. Transited Services: -
2967. Package Name (NTLM only): -
2968. Key Length: 0
2969.  
2970. This event is generated when a logon session is created. It is generated on the computer that was accessed.
2971.  
2972. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
2973.  
2974. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
2975.  
2976. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
2977.  
2978. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
2979.  
2980. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
2981.  
2982. The authentication information fields provide detailed information about this specific logon request.
2983. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
2984. - Transited services indicate which intermediate services have participated in this logon request.
2985. - Package name indicates which sub-protocol was used among the NTLM protocols.
2986. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
2987. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
2988.  
2989. Subject:
2990. Security ID: SYSTEM
2991. Account Name: SYSTEM
2992. Account Domain: NT AUTHORITY
2993. Logon ID: 0x3E7
2994.  
2995. Privileges: SeAssignPrimaryTokenPrivilege
2996. SeTcbPrivilege
2997. SeSecurityPrivilege
2998. SeTakeOwnershipPrivilege
2999. SeLoadDriverPrivilege
3000. SeBackupPrivilege
3001. SeRestorePrivilege
3002. SeDebugPrivilege
3003. SeAuditPrivilege
3004. SeSystemEnvironmentPrivilege
3005. SeImpersonatePrivilege
3006. SeDelegateSessionUserImpersonatePrivilege"
3007. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3008.  
3009. Subject:
3010. Security ID: SYSTEM
3011. Account Name: DESKTOP-TM5QNT2$
3012. Account Domain: WORKGROUP
3013. Logon ID: 0x3E7
3014.  
3015. Logon Information:
3016. Logon Type: 5
3017. Restricted Admin Mode: -
3018. Virtual Account: No
3019. Elevated Token: Yes
3020.  
3021. Impersonation Level: Impersonation
3022.  
3023. New Logon:
3024. Security ID: SYSTEM
3025. Account Name: SYSTEM
3026. Account Domain: NT AUTHORITY
3027. Logon ID: 0x3E7
3028. Linked Logon ID: 0x0
3029. Network Account Name: -
3030. Network Account Domain: -
3031. Logon GUID: {00000000-0000-0000-0000-000000000000}
3032.  
3033. Process Information:
3034. Process ID: 0x2fc
3035. Process Name: C:\Windows\System32\services.exe
3036.  
3037. Network Information:
3038. Workstation Name: -
3039. Source Network Address: -
3040. Source Port: -
3041.  
3042. Detailed Authentication Information:
3043. Logon Process: Advapi
3044. Authentication Package: Negotiate
3045. Transited Services: -
3046. Package Name (NTLM only): -
3047. Key Length: 0
3048.  
3049. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3050.  
3051. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3052.  
3053. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3054.  
3055. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3056.  
3057. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3058.  
3059. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3060.  
3061. The authentication information fields provide detailed information about this specific logon request.
3062. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3063. - Transited services indicate which intermediate services have participated in this logon request.
3064. - Package name indicates which sub-protocol was used among the NTLM protocols.
3065. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3066. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3067.  
3068. Subject:
3069. Security ID: SYSTEM
3070. Account Name: SYSTEM
3071. Account Domain: NT AUTHORITY
3072. Logon ID: 0x3E7
3073.  
3074. Privileges: SeAssignPrimaryTokenPrivilege
3075. SeTcbPrivilege
3076. SeSecurityPrivilege
3077. SeTakeOwnershipPrivilege
3078. SeLoadDriverPrivilege
3079. SeBackupPrivilege
3080. SeRestorePrivilege
3081. SeDebugPrivilege
3082. SeAuditPrivilege
3083. SeSystemEnvironmentPrivilege
3084. SeImpersonatePrivilege
3085. SeDelegateSessionUserImpersonatePrivilege"
3086. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3087.  
3088. Subject:
3089. Security ID: SYSTEM
3090. Account Name: DESKTOP-TM5QNT2$
3091. Account Domain: WORKGROUP
3092. Logon ID: 0x3E7
3093.  
3094. Logon Information:
3095. Logon Type: 5
3096. Restricted Admin Mode: -
3097. Virtual Account: No
3098. Elevated Token: Yes
3099.  
3100. Impersonation Level: Impersonation
3101.  
3102. New Logon:
3103. Security ID: SYSTEM
3104. Account Name: SYSTEM
3105. Account Domain: NT AUTHORITY
3106. Logon ID: 0x3E7
3107. Linked Logon ID: 0x0
3108. Network Account Name: -
3109. Network Account Domain: -
3110. Logon GUID: {00000000-0000-0000-0000-000000000000}
3111.  
3112. Process Information:
3113. Process ID: 0x2fc
3114. Process Name: C:\Windows\System32\services.exe
3115.  
3116. Network Information:
3117. Workstation Name: -
3118. Source Network Address: -
3119. Source Port: -
3120.  
3121. Detailed Authentication Information:
3122. Logon Process: Advapi
3123. Authentication Package: Negotiate
3124. Transited Services: -
3125. Package Name (NTLM only): -
3126. Key Length: 0
3127.  
3128. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3129.  
3130. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3131.  
3132. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3133.  
3134. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3135.  
3136. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3137.  
3138. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3139.  
3140. The authentication information fields provide detailed information about this specific logon request.
3141. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3142. - Transited services indicate which intermediate services have participated in this logon request.
3143. - Package name indicates which sub-protocol was used among the NTLM protocols.
3144. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3145. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3146.  
3147. Subject:
3148. Security ID: SYSTEM
3149. Account Name: SYSTEM
3150. Account Domain: NT AUTHORITY
3151. Logon ID: 0x3E7
3152.  
3153. Privileges: SeAssignPrimaryTokenPrivilege
3154. SeTcbPrivilege
3155. SeSecurityPrivilege
3156. SeTakeOwnershipPrivilege
3157. SeLoadDriverPrivilege
3158. SeBackupPrivilege
3159. SeRestorePrivilege
3160. SeDebugPrivilege
3161. SeAuditPrivilege
3162. SeSystemEnvironmentPrivilege
3163. SeImpersonatePrivilege
3164. SeDelegateSessionUserImpersonatePrivilege"
3165. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3166.  
3167. Subject:
3168. Security ID: SYSTEM
3169. Account Name: DESKTOP-TM5QNT2$
3170. Account Domain: WORKGROUP
3171. Logon ID: 0x3E7
3172.  
3173. Logon Information:
3174. Logon Type: 5
3175. Restricted Admin Mode: -
3176. Virtual Account: No
3177. Elevated Token: Yes
3178.  
3179. Impersonation Level: Impersonation
3180.  
3181. New Logon:
3182. Security ID: SYSTEM
3183. Account Name: SYSTEM
3184. Account Domain: NT AUTHORITY
3185. Logon ID: 0x3E7
3186. Linked Logon ID: 0x0
3187. Network Account Name: -
3188. Network Account Domain: -
3189. Logon GUID: {00000000-0000-0000-0000-000000000000}
3190.  
3191. Process Information:
3192. Process ID: 0x2fc
3193. Process Name: C:\Windows\System32\services.exe
3194.  
3195. Network Information:
3196. Workstation Name: -
3197. Source Network Address: -
3198. Source Port: -
3199.  
3200. Detailed Authentication Information:
3201. Logon Process: Advapi
3202. Authentication Package: Negotiate
3203. Transited Services: -
3204. Package Name (NTLM only): -
3205. Key Length: 0
3206.  
3207. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3208.  
3209. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3210.  
3211. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3212.  
3213. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3214.  
3215. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3216.  
3217. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3218.  
3219. The authentication information fields provide detailed information about this specific logon request.
3220. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3221. - Transited services indicate which intermediate services have participated in this logon request.
3222. - Package name indicates which sub-protocol was used among the NTLM protocols.
3223. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3224. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3225.  
3226. Subject:
3227. Security ID: LOCAL SERVICE
3228. Account Name: LOCAL SERVICE
3229. Account Domain: NT AUTHORITY
3230. Logon ID: 0x3E5
3231.  
3232. Privileges: SeAssignPrimaryTokenPrivilege
3233. SeAuditPrivilege
3234. SeImpersonatePrivilege"
3235. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3236.  
3237. Subject:
3238. Security ID: SYSTEM
3239. Account Name: DESKTOP-TM5QNT2$
3240. Account Domain: WORKGROUP
3241. Logon ID: 0x3E7
3242.  
3243. Logon Information:
3244. Logon Type: 5
3245. Restricted Admin Mode: -
3246. Virtual Account: No
3247. Elevated Token: Yes
3248.  
3249. Impersonation Level: Impersonation
3250.  
3251. New Logon:
3252. Security ID: LOCAL SERVICE
3253. Account Name: LOCAL SERVICE
3254. Account Domain: NT AUTHORITY
3255. Logon ID: 0x3E5
3256. Linked Logon ID: 0x0
3257. Network Account Name: -
3258. Network Account Domain: -
3259. Logon GUID: {00000000-0000-0000-0000-000000000000}
3260.  
3261. Process Information:
3262. Process ID: 0x2fc
3263. Process Name: C:\Windows\System32\services.exe
3264.  
3265. Network Information:
3266. Workstation Name: -
3267. Source Network Address: -
3268. Source Port: -
3269.  
3270. Detailed Authentication Information:
3271. Logon Process: Advapi
3272. Authentication Package: Negotiate
3273. Transited Services: -
3274. Package Name (NTLM only): -
3275. Key Length: 0
3276.  
3277. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3278.  
3279. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3280.  
3281. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3282.  
3283. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3284.  
3285. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3286.  
3287. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3288.  
3289. The authentication information fields provide detailed information about this specific logon request.
3290. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3291. - Transited services indicate which intermediate services have participated in this logon request.
3292. - Package name indicates which sub-protocol was used among the NTLM protocols.
3293. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3294. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3295.  
3296. Subject:
3297. Security ID: SYSTEM
3298. Account Name: SYSTEM
3299. Account Domain: NT AUTHORITY
3300. Logon ID: 0x3E7
3301.  
3302. Privileges: SeAssignPrimaryTokenPrivilege
3303. SeTcbPrivilege
3304. SeSecurityPrivilege
3305. SeTakeOwnershipPrivilege
3306. SeLoadDriverPrivilege
3307. SeBackupPrivilege
3308. SeRestorePrivilege
3309. SeDebugPrivilege
3310. SeAuditPrivilege
3311. SeSystemEnvironmentPrivilege
3312. SeImpersonatePrivilege
3313. SeDelegateSessionUserImpersonatePrivilege"
3314. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3315.  
3316. Subject:
3317. Security ID: SYSTEM
3318. Account Name: DESKTOP-TM5QNT2$
3319. Account Domain: WORKGROUP
3320. Logon ID: 0x3E7
3321.  
3322. Logon Information:
3323. Logon Type: 5
3324. Restricted Admin Mode: -
3325. Virtual Account: No
3326. Elevated Token: Yes
3327.  
3328. Impersonation Level: Impersonation
3329.  
3330. New Logon:
3331. Security ID: SYSTEM
3332. Account Name: SYSTEM
3333. Account Domain: NT AUTHORITY
3334. Logon ID: 0x3E7
3335. Linked Logon ID: 0x0
3336. Network Account Name: -
3337. Network Account Domain: -
3338. Logon GUID: {00000000-0000-0000-0000-000000000000}
3339.  
3340. Process Information:
3341. Process ID: 0x2fc
3342. Process Name: C:\Windows\System32\services.exe
3343.  
3344. Network Information:
3345. Workstation Name: -
3346. Source Network Address: -
3347. Source Port: -
3348.  
3349. Detailed Authentication Information:
3350. Logon Process: Advapi
3351. Authentication Package: Negotiate
3352. Transited Services: -
3353. Package Name (NTLM only): -
3354. Key Length: 0
3355.  
3356. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3357.  
3358. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3359.  
3360. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3361.  
3362. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3363.  
3364. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3365.  
3366. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3367.  
3368. The authentication information fields provide detailed information about this specific logon request.
3369. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3370. - Transited services indicate which intermediate services have participated in this logon request.
3371. - Package name indicates which sub-protocol was used among the NTLM protocols.
3372. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3373. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3374.  
3375. Subject:
3376. Security ID: SYSTEM
3377. Account Name: SYSTEM
3378. Account Domain: NT AUTHORITY
3379. Logon ID: 0x3E7
3380.  
3381. Privileges: SeAssignPrimaryTokenPrivilege
3382. SeTcbPrivilege
3383. SeSecurityPrivilege
3384. SeTakeOwnershipPrivilege
3385. SeLoadDriverPrivilege
3386. SeBackupPrivilege
3387. SeRestorePrivilege
3388. SeDebugPrivilege
3389. SeAuditPrivilege
3390. SeSystemEnvironmentPrivilege
3391. SeImpersonatePrivilege
3392. SeDelegateSessionUserImpersonatePrivilege"
3393. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3394.  
3395. Subject:
3396. Security ID: SYSTEM
3397. Account Name: DESKTOP-TM5QNT2$
3398. Account Domain: WORKGROUP
3399. Logon ID: 0x3E7
3400.  
3401. Logon Information:
3402. Logon Type: 5
3403. Restricted Admin Mode: -
3404. Virtual Account: No
3405. Elevated Token: Yes
3406.  
3407. Impersonation Level: Impersonation
3408.  
3409. New Logon:
3410. Security ID: SYSTEM
3411. Account Name: SYSTEM
3412. Account Domain: NT AUTHORITY
3413. Logon ID: 0x3E7
3414. Linked Logon ID: 0x0
3415. Network Account Name: -
3416. Network Account Domain: -
3417. Logon GUID: {00000000-0000-0000-0000-000000000000}
3418.  
3419. Process Information:
3420. Process ID: 0x2fc
3421. Process Name: C:\Windows\System32\services.exe
3422.  
3423. Network Information:
3424. Workstation Name: -
3425. Source Network Address: -
3426. Source Port: -
3427.  
3428. Detailed Authentication Information:
3429. Logon Process: Advapi
3430. Authentication Package: Negotiate
3431. Transited Services: -
3432. Package Name (NTLM only): -
3433. Key Length: 0
3434.  
3435. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3436.  
3437. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3438.  
3439. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3440.  
3441. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3442.  
3443. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3444.  
3445. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3446.  
3447. The authentication information fields provide detailed information about this specific logon request.
3448. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3449. - Transited services indicate which intermediate services have participated in this logon request.
3450. - Package name indicates which sub-protocol was used among the NTLM protocols.
3451. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3452. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3453.  
3454. Subject:
3455. Security ID: Window Manager\DWM-1
3456. Account Name: DWM-1
3457. Account Domain: Window Manager
3458. Logon ID: 0x113C4
3459.  
3460. Privileges: SeAssignPrimaryTokenPrivilege
3461. SeAuditPrivilege"
3462. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3463.  
3464. Subject:
3465. Security ID: Window Manager\DWM-1
3466. Account Name: DWM-1
3467. Account Domain: Window Manager
3468. Logon ID: 0x11389
3469.  
3470. Privileges: SeAssignPrimaryTokenPrivilege
3471. SeAuditPrivilege
3472. SeImpersonatePrivilege"
3473. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3474.  
3475. Subject:
3476. Security ID: SYSTEM
3477. Account Name: DESKTOP-TM5QNT2$
3478. Account Domain: WORKGROUP
3479. Logon ID: 0x3E7
3480.  
3481. Logon Information:
3482. Logon Type: 2
3483. Restricted Admin Mode: -
3484. Virtual Account: Yes
3485. Elevated Token: No
3486.  
3487. Impersonation Level: Impersonation
3488.  
3489. New Logon:
3490. Security ID: Window Manager\DWM-1
3491. Account Name: DWM-1
3492. Account Domain: Window Manager
3493. Logon ID: 0x113C4
3494. Linked Logon ID: 0x11389
3495. Network Account Name: -
3496. Network Account Domain: -
3497. Logon GUID: {00000000-0000-0000-0000-000000000000}
3498.  
3499. Process Information:
3500. Process ID: 0x220
3501. Process Name: C:\Windows\System32\winlogon.exe
3502.  
3503. Network Information:
3504. Workstation Name: -
3505. Source Network Address: -
3506. Source Port: -
3507.  
3508. Detailed Authentication Information:
3509. Logon Process: Advapi
3510. Authentication Package: Negotiate
3511. Transited Services: -
3512. Package Name (NTLM only): -
3513. Key Length: 0
3514.  
3515. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3516.  
3517. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3518.  
3519. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3520.  
3521. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3522.  
3523. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3524.  
3525. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3526.  
3527. The authentication information fields provide detailed information about this specific logon request.
3528. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3529. - Transited services indicate which intermediate services have participated in this logon request.
3530. - Package name indicates which sub-protocol was used among the NTLM protocols.
3531. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3532. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3533.  
3534. Subject:
3535. Security ID: SYSTEM
3536. Account Name: DESKTOP-TM5QNT2$
3537. Account Domain: WORKGROUP
3538. Logon ID: 0x3E7
3539.  
3540. Logon Information:
3541. Logon Type: 2
3542. Restricted Admin Mode: -
3543. Virtual Account: Yes
3544. Elevated Token: Yes
3545.  
3546. Impersonation Level: Impersonation
3547.  
3548. New Logon:
3549. Security ID: Window Manager\DWM-1
3550. Account Name: DWM-1
3551. Account Domain: Window Manager
3552. Logon ID: 0x11389
3553. Linked Logon ID: 0x113C4
3554. Network Account Name: -
3555. Network Account Domain: -
3556. Logon GUID: {00000000-0000-0000-0000-000000000000}
3557.  
3558. Process Information:
3559. Process ID: 0x220
3560. Process Name: C:\Windows\System32\winlogon.exe
3561.  
3562. Network Information:
3563. Workstation Name: -
3564. Source Network Address: -
3565. Source Port: -
3566.  
3567. Detailed Authentication Information:
3568. Logon Process: Advapi
3569. Authentication Package: Negotiate
3570. Transited Services: -
3571. Package Name (NTLM only): -
3572. Key Length: 0
3573.  
3574. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3575.  
3576. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3577.  
3578. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3579.  
3580. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3581.  
3582. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3583.  
3584. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3585.  
3586. The authentication information fields provide detailed information about this specific logon request.
3587. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3588. - Transited services indicate which intermediate services have participated in this logon request.
3589. - Package name indicates which sub-protocol was used among the NTLM protocols.
3590. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3591. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
3592.  
3593. Subject:
3594. Security ID: SYSTEM
3595. Account Name: DESKTOP-TM5QNT2$
3596. Account Domain: WORKGROUP
3597. Logon ID: 0x3E7
3598. Logon GUID: {00000000-0000-0000-0000-000000000000}
3599.  
3600. Account Whose Credentials Were Used:
3601. Account Name: DWM-1
3602. Account Domain: Window Manager
3603. Logon GUID: {00000000-0000-0000-0000-000000000000}
3604.  
3605. Target Server:
3606. Target Server Name: localhost
3607. Additional Information: localhost
3608.  
3609. Process Information:
3610. Process ID: 0x220
3611. Process Name: C:\Windows\System32\winlogon.exe
3612.  
3613. Network Information:
3614. Network Address: -
3615. Port: -
3616.  
3617. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
3618. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3619.  
3620. Subject:
3621. Security ID: SYSTEM
3622. Account Name: DESKTOP-TM5QNT2$
3623. Account Domain: WORKGROUP
3624. Logon ID: 0x3E7
3625.  
3626. Logon Information:
3627. Logon Type: 2
3628. Restricted Admin Mode: -
3629. Virtual Account: Yes
3630. Elevated Token: No
3631.  
3632. Impersonation Level: Impersonation
3633.  
3634. New Logon:
3635. Security ID: Font Driver Host\UMFD-1
3636. Account Name: UMFD-1
3637. Account Domain: Font Driver Host
3638. Logon ID: 0x102E5
3639. Linked Logon ID: 0x0
3640. Network Account Name: -
3641. Network Account Domain: -
3642. Logon GUID: {00000000-0000-0000-0000-000000000000}
3643.  
3644. Process Information:
3645. Process ID: 0x220
3646. Process Name: C:\Windows\System32\winlogon.exe
3647.  
3648. Network Information:
3649. Workstation Name: -
3650. Source Network Address: -
3651. Source Port: -
3652.  
3653. Detailed Authentication Information:
3654. Logon Process: Advapi
3655. Authentication Package: Negotiate
3656. Transited Services: -
3657. Package Name (NTLM only): -
3658. Key Length: 0
3659.  
3660. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3661.  
3662. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3663.  
3664. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3665.  
3666. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3667.  
3668. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3669.  
3670. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3671.  
3672. The authentication information fields provide detailed information about this specific logon request.
3673. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3674. - Transited services indicate which intermediate services have participated in this logon request.
3675. - Package name indicates which sub-protocol was used among the NTLM protocols.
3676. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3677. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
3678.  
3679. Subject:
3680. Security ID: SYSTEM
3681. Account Name: DESKTOP-TM5QNT2$
3682. Account Domain: WORKGROUP
3683. Logon ID: 0x3E7
3684. Logon GUID: {00000000-0000-0000-0000-000000000000}
3685.  
3686. Account Whose Credentials Were Used:
3687. Account Name: UMFD-1
3688. Account Domain: Font Driver Host
3689. Logon GUID: {00000000-0000-0000-0000-000000000000}
3690.  
3691. Target Server:
3692. Target Server Name: localhost
3693. Additional Information: localhost
3694.  
3695. Process Information:
3696. Process ID: 0x220
3697. Process Name: C:\Windows\System32\winlogon.exe
3698.  
3699. Network Information:
3700. Network Address: -
3701. Port: -
3702.  
3703. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
3704. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3705.  
3706. Subject:
3707. Security ID: SYSTEM
3708. Account Name: SYSTEM
3709. Account Domain: NT AUTHORITY
3710. Logon ID: 0x3E7
3711.  
3712. Privileges: SeAssignPrimaryTokenPrivilege
3713. SeTcbPrivilege
3714. SeSecurityPrivilege
3715. SeTakeOwnershipPrivilege
3716. SeLoadDriverPrivilege
3717. SeBackupPrivilege
3718. SeRestorePrivilege
3719. SeDebugPrivilege
3720. SeAuditPrivilege
3721. SeSystemEnvironmentPrivilege
3722. SeImpersonatePrivilege
3723. SeDelegateSessionUserImpersonatePrivilege"
3724. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3725.  
3726. Subject:
3727. Security ID: SYSTEM
3728. Account Name: DESKTOP-TM5QNT2$
3729. Account Domain: WORKGROUP
3730. Logon ID: 0x3E7
3731.  
3732. Logon Information:
3733. Logon Type: 5
3734. Restricted Admin Mode: -
3735. Virtual Account: No
3736. Elevated Token: Yes
3737.  
3738. Impersonation Level: Impersonation
3739.  
3740. New Logon:
3741. Security ID: SYSTEM
3742. Account Name: SYSTEM
3743. Account Domain: NT AUTHORITY
3744. Logon ID: 0x3E7
3745. Linked Logon ID: 0x0
3746. Network Account Name: -
3747. Network Account Domain: -
3748. Logon GUID: {00000000-0000-0000-0000-000000000000}
3749.  
3750. Process Information:
3751. Process ID: 0x2fc
3752. Process Name: C:\Windows\System32\services.exe
3753.  
3754. Network Information:
3755. Workstation Name: -
3756. Source Network Address: -
3757. Source Port: -
3758.  
3759. Detailed Authentication Information:
3760. Logon Process: Advapi
3761. Authentication Package: Negotiate
3762. Transited Services: -
3763. Package Name (NTLM only): -
3764. Key Length: 0
3765.  
3766. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3767.  
3768. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3769.  
3770. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3771.  
3772. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3773.  
3774. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3775.  
3776. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3777.  
3778. The authentication information fields provide detailed information about this specific logon request.
3779. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3780. - Transited services indicate which intermediate services have participated in this logon request.
3781. - Package name indicates which sub-protocol was used among the NTLM protocols.
3782. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3783. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3784.  
3785. Subject:
3786. Security ID: NETWORK SERVICE
3787. Account Name: NETWORK SERVICE
3788. Account Domain: NT AUTHORITY
3789. Logon ID: 0x3E4
3790.  
3791. Privileges: SeAssignPrimaryTokenPrivilege
3792. SeAuditPrivilege
3793. SeImpersonatePrivilege"
3794. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3795.  
3796. Subject:
3797. Security ID: SYSTEM
3798. Account Name: DESKTOP-TM5QNT2$
3799. Account Domain: WORKGROUP
3800. Logon ID: 0x3E7
3801.  
3802. Logon Information:
3803. Logon Type: 5
3804. Restricted Admin Mode: -
3805. Virtual Account: No
3806. Elevated Token: Yes
3807.  
3808. Impersonation Level: Impersonation
3809.  
3810. New Logon:
3811. Security ID: NETWORK SERVICE
3812. Account Name: NETWORK SERVICE
3813. Account Domain: NT AUTHORITY
3814. Logon ID: 0x3E4
3815. Linked Logon ID: 0x0
3816. Network Account Name: -
3817. Network Account Domain: -
3818. Logon GUID: {00000000-0000-0000-0000-000000000000}
3819.  
3820. Process Information:
3821. Process ID: 0x2fc
3822. Process Name: C:\Windows\System32\services.exe
3823.  
3824. Network Information:
3825. Workstation Name: -
3826. Source Network Address: -
3827. Source Port: -
3828.  
3829. Detailed Authentication Information:
3830. Logon Process: Advapi
3831. Authentication Package: Negotiate
3832. Transited Services: -
3833. Package Name (NTLM only): -
3834. Key Length: 0
3835.  
3836. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3837.  
3838. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3839.  
3840. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3841.  
3842. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3843.  
3844. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3845.  
3846. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3847.  
3848. The authentication information fields provide detailed information about this specific logon request.
3849. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3850. - Transited services indicate which intermediate services have participated in this logon request.
3851. - Package name indicates which sub-protocol was used among the NTLM protocols.
3852. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3853. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3854.  
3855. Subject:
3856. Security ID: SYSTEM
3857. Account Name: SYSTEM
3858. Account Domain: NT AUTHORITY
3859. Logon ID: 0x3E7
3860.  
3861. Privileges: SeAssignPrimaryTokenPrivilege
3862. SeTcbPrivilege
3863. SeSecurityPrivilege
3864. SeTakeOwnershipPrivilege
3865. SeLoadDriverPrivilege
3866. SeBackupPrivilege
3867. SeRestorePrivilege
3868. SeDebugPrivilege
3869. SeAuditPrivilege
3870. SeSystemEnvironmentPrivilege
3871. SeImpersonatePrivilege
3872. SeDelegateSessionUserImpersonatePrivilege"
3873. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3874.  
3875. Subject:
3876. Security ID: SYSTEM
3877. Account Name: DESKTOP-TM5QNT2$
3878. Account Domain: WORKGROUP
3879. Logon ID: 0x3E7
3880.  
3881. Logon Information:
3882. Logon Type: 5
3883. Restricted Admin Mode: -
3884. Virtual Account: No
3885. Elevated Token: Yes
3886.  
3887. Impersonation Level: Impersonation
3888.  
3889. New Logon:
3890. Security ID: SYSTEM
3891. Account Name: SYSTEM
3892. Account Domain: NT AUTHORITY
3893. Logon ID: 0x3E7
3894. Linked Logon ID: 0x0
3895. Network Account Name: -
3896. Network Account Domain: -
3897. Logon GUID: {00000000-0000-0000-0000-000000000000}
3898.  
3899. Process Information:
3900. Process ID: 0x2fc
3901. Process Name: C:\Windows\System32\services.exe
3902.  
3903. Network Information:
3904. Workstation Name: -
3905. Source Network Address: -
3906. Source Port: -
3907.  
3908. Detailed Authentication Information:
3909. Logon Process: Advapi
3910. Authentication Package: Negotiate
3911. Transited Services: -
3912. Package Name (NTLM only): -
3913. Key Length: 0
3914.  
3915. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3916.  
3917. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3918.  
3919. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3920.  
3921. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3922.  
3923. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3924.  
3925. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3926.  
3927. The authentication information fields provide detailed information about this specific logon request.
3928. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3929. - Transited services indicate which intermediate services have participated in this logon request.
3930. - Package name indicates which sub-protocol was used among the NTLM protocols.
3931. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3932. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
3933.  
3934. Subject:
3935. Security ID: SYSTEM
3936. Account Name: DESKTOP-TM5QNT2$
3937. Account Domain: WORKGROUP
3938. Logon ID: 0x3E7
3939.  
3940. Logon Information:
3941. Logon Type: 2
3942. Restricted Admin Mode: -
3943. Virtual Account: Yes
3944. Elevated Token: No
3945.  
3946. Impersonation Level: Impersonation
3947.  
3948. New Logon:
3949. Security ID: Font Driver Host\UMFD-0
3950. Account Name: UMFD-0
3951. Account Domain: Font Driver Host
3952. Logon ID: 0xAE98
3953. Linked Logon ID: 0x0
3954. Network Account Name: -
3955. Network Account Domain: -
3956. Logon GUID: {00000000-0000-0000-0000-000000000000}
3957.  
3958. Process Information:
3959. Process ID: 0x2ac
3960. Process Name: C:\Windows\System32\wininit.exe
3961.  
3962. Network Information:
3963. Workstation Name: -
3964. Source Network Address: -
3965. Source Port: -
3966.  
3967. Detailed Authentication Information:
3968. Logon Process: Advapi
3969. Authentication Package: Negotiate
3970. Transited Services: -
3971. Package Name (NTLM only): -
3972. Key Length: 0
3973.  
3974. This event is generated when a logon session is created. It is generated on the computer that was accessed.
3975.  
3976. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
3977.  
3978. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
3979.  
3980. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
3981.  
3982. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
3983.  
3984. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
3985.  
3986. The authentication information fields provide detailed information about this specific logon request.
3987. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
3988. - Transited services indicate which intermediate services have participated in this logon request.
3989. - Package name indicates which sub-protocol was used among the NTLM protocols.
3990. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
3991. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
3992.  
3993. Subject:
3994. Security ID: SYSTEM
3995. Account Name: SYSTEM
3996. Account Domain: NT AUTHORITY
3997. Logon ID: 0x3E7
3998.  
3999. Privileges: SeAssignPrimaryTokenPrivilege
4000. SeTcbPrivilege
4001. SeSecurityPrivilege
4002. SeTakeOwnershipPrivilege
4003. SeLoadDriverPrivilege
4004. SeBackupPrivilege
4005. SeRestorePrivilege
4006. SeDebugPrivilege
4007. SeAuditPrivilege
4008. SeSystemEnvironmentPrivilege
4009. SeImpersonatePrivilege
4010. SeDelegateSessionUserImpersonatePrivilege"
4011. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
4012.  
4013. Subject:
4014. Security ID: SYSTEM
4015. Account Name: DESKTOP-TM5QNT2$
4016. Account Domain: WORKGROUP
4017. Logon ID: 0x3E7
4018. Logon GUID: {00000000-0000-0000-0000-000000000000}
4019.  
4020. Account Whose Credentials Were Used:
4021. Account Name: UMFD-0
4022. Account Domain: Font Driver Host
4023. Logon GUID: {00000000-0000-0000-0000-000000000000}
4024.  
4025. Target Server:
4026. Target Server Name: localhost
4027. Additional Information: localhost
4028.  
4029. Process Information:
4030. Process ID: 0x2ac
4031. Process Name: C:\Windows\System32\wininit.exe
4032.  
4033. Network Information:
4034. Network Address: -
4035. Port: -
4036.  
4037. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
4038. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4039.  
4040. Subject:
4041. Security ID: SYSTEM
4042. Account Name: DESKTOP-TM5QNT2$
4043. Account Domain: WORKGROUP
4044. Logon ID: 0x3E7
4045.  
4046. Logon Information:
4047. Logon Type: 5
4048. Restricted Admin Mode: -
4049. Virtual Account: No
4050. Elevated Token: Yes
4051.  
4052. Impersonation Level: Impersonation
4053.  
4054. New Logon:
4055. Security ID: SYSTEM
4056. Account Name: SYSTEM
4057. Account Domain: NT AUTHORITY
4058. Logon ID: 0x3E7
4059. Linked Logon ID: 0x0
4060. Network Account Name: -
4061. Network Account Domain: -
4062. Logon GUID: {00000000-0000-0000-0000-000000000000}
4063.  
4064. Process Information:
4065. Process ID: 0x2fc
4066. Process Name: C:\Windows\System32\services.exe
4067.  
4068. Network Information:
4069. Workstation Name: -
4070. Source Network Address: -
4071. Source Port: -
4072.  
4073. Detailed Authentication Information:
4074. Logon Process: Advapi
4075. Authentication Package: Negotiate
4076. Transited Services: -
4077. Package Name (NTLM only): -
4078. Key Length: 0
4079.  
4080. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4081.  
4082. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4083.  
4084. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4085.  
4086. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4087.  
4088. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4089.  
4090. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4091.  
4092. The authentication information fields provide detailed information about this specific logon request.
4093. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4094. - Transited services indicate which intermediate services have participated in this logon request.
4095. - Package name indicates which sub-protocol was used among the NTLM protocols.
4096. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4097. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
4098.  
4099. Number of Elements: 0
4100. Policy ID: 0xAD31"
4101. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4102.  
4103. Subject:
4104. Security ID: NULL SID
4105. Account Name: -
4106. Account Domain: -
4107. Logon ID: 0x0
4108.  
4109. Logon Information:
4110. Logon Type: 0
4111. Restricted Admin Mode: -
4112. Virtual Account: No
4113. Elevated Token: Yes
4114.  
4115. Impersonation Level: -
4116.  
4117. New Logon:
4118. Security ID: SYSTEM
4119. Account Name: SYSTEM
4120. Account Domain: NT AUTHORITY
4121. Logon ID: 0x3E7
4122. Linked Logon ID: 0x0
4123. Network Account Name: -
4124. Network Account Domain: -
4125. Logon GUID: {00000000-0000-0000-0000-000000000000}
4126.  
4127. Process Information:
4128. Process ID: 0x4
4129. Process Name:
4130.  
4131. Network Information:
4132. Workstation Name: -
4133. Source Network Address: -
4134. Source Port: -
4135.  
4136. Detailed Authentication Information:
4137. Logon Process: -
4138. Authentication Package: -
4139. Transited Services: -
4140. Package Name (NTLM only): -
4141. Key Length: 0
4142.  
4143. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4144.  
4145. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4146.  
4147. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4148.  
4149. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4150.  
4151. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4152.  
4153. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4154.  
4155. The authentication information fields provide detailed information about this specific logon request.
4156. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4157. - Transited services indicate which intermediate services have participated in this logon request.
4158. - Package name indicates which sub-protocol was used among the NTLM protocols.
4159. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4160. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
4161.  
4162. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
4163. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4164.  
4165. Creator Subject:
4166. Security ID: SYSTEM
4167. Account Name: -
4168. Account Domain: -
4169. Logon ID: 0x3E7
4170.  
4171. Target Subject:
4172. Security ID: NULL SID
4173. Account Name: -
4174. Account Domain: -
4175. Logon ID: 0x0
4176.  
4177. Process Information:
4178. New Process ID: 0x304
4179. New Process Name: C:\Windows\System32\lsass.exe
4180. Token Elevation Type: %%1936
4181. Mandatory Label: Mandatory Label\System Mandatory Level
4182. Creator Process ID: 0x2ac
4183. Creator Process Name: C:\Windows\System32\wininit.exe
4184. Process Command Line:
4185.  
4186. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4187.  
4188. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4189.  
4190. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4191.  
4192. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4193. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4194.  
4195. Creator Subject:
4196. Security ID: SYSTEM
4197. Account Name: -
4198. Account Domain: -
4199. Logon ID: 0x3E7
4200.  
4201. Target Subject:
4202. Security ID: NULL SID
4203. Account Name: -
4204. Account Domain: -
4205. Logon ID: 0x0
4206.  
4207. Process Information:
4208. New Process ID: 0x2fc
4209. New Process Name: C:\Windows\System32\services.exe
4210. Token Elevation Type: %%1936
4211. Mandatory Label: Mandatory Label\System Mandatory Level
4212. Creator Process ID: 0x2ac
4213. Creator Process Name: C:\Windows\System32\wininit.exe
4214. Process Command Line:
4215.  
4216. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4217.  
4218. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4219.  
4220. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4221.  
4222. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4223. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4224.  
4225. Creator Subject:
4226. Security ID: SYSTEM
4227. Account Name: -
4228. Account Domain: -
4229. Logon ID: 0x3E7
4230.  
4231. Target Subject:
4232. Security ID: NULL SID
4233. Account Name: -
4234. Account Domain: -
4235. Logon ID: 0x0
4236.  
4237. Process Information:
4238. New Process ID: 0x2b4
4239. New Process Name: C:\Windows\System32\csrss.exe
4240. Token Elevation Type: %%1936
4241. Mandatory Label: Mandatory Label\System Mandatory Level
4242. Creator Process ID: 0x2a4
4243. Creator Process Name: C:\Windows\System32\smss.exe
4244. Process Command Line:
4245.  
4246. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4247.  
4248. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4249.  
4250. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4251.  
4252. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4253. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4254.  
4255. Creator Subject:
4256. Security ID: SYSTEM
4257. Account Name: -
4258. Account Domain: -
4259. Logon ID: 0x3E7
4260.  
4261. Target Subject:
4262. Security ID: NULL SID
4263. Account Name: -
4264. Account Domain: -
4265. Logon ID: 0x0
4266.  
4267. Process Information:
4268. New Process ID: 0x2ac
4269. New Process Name: C:\Windows\System32\wininit.exe
4270. Token Elevation Type: %%1936
4271. Mandatory Label: Mandatory Label\System Mandatory Level
4272. Creator Process ID: 0x238
4273. Creator Process Name: C:\Windows\System32\smss.exe
4274. Process Command Line:
4275.  
4276. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4277.  
4278. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4279.  
4280. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4281.  
4282. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4283. Audit Success 5/2/2017 7:52:10 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4284.  
4285. Creator Subject:
4286. Security ID: SYSTEM
4287. Account Name: -
4288. Account Domain: -
4289. Logon ID: 0x3E7
4290.  
4291. Target Subject:
4292. Security ID: NULL SID
4293. Account Name: -
4294. Account Domain: -
4295. Logon ID: 0x0
4296.  
4297. Process Information:
4298. New Process ID: 0x2a4
4299. New Process Name: C:\Windows\System32\smss.exe
4300. Token Elevation Type: %%1936
4301. Mandatory Label: Mandatory Label\System Mandatory Level
4302. Creator Process ID: 0x1c8
4303. Creator Process Name: C:\Windows\System32\smss.exe
4304. Process Command Line:
4305.  
4306. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4307.  
4308. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4309.  
4310. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4311.  
4312. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4313. Audit Success 5/2/2017 7:52:09 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4314.  
4315. Creator Subject:
4316. Security ID: SYSTEM
4317. Account Name: -
4318. Account Domain: -
4319. Logon ID: 0x3E7
4320.  
4321. Target Subject:
4322. Security ID: NULL SID
4323. Account Name: -
4324. Account Domain: -
4325. Logon ID: 0x0
4326.  
4327. Process Information:
4328. New Process ID: 0x244
4329. New Process Name: C:\Windows\System32\csrss.exe
4330. Token Elevation Type: %%1936
4331. Mandatory Label: Mandatory Label\System Mandatory Level
4332. Creator Process ID: 0x238
4333. Creator Process Name: C:\Windows\System32\smss.exe
4334. Process Command Line:
4335.  
4336. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4337.  
4338. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4339.  
4340. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4341.  
4342. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4343. Audit Success 5/2/2017 7:52:09 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4344.  
4345. Creator Subject:
4346. Security ID: SYSTEM
4347. Account Name: -
4348. Account Domain: -
4349. Logon ID: 0x3E7
4350.  
4351. Target Subject:
4352. Security ID: NULL SID
4353. Account Name: -
4354. Account Domain: -
4355. Logon ID: 0x0
4356.  
4357. Process Information:
4358. New Process ID: 0x238
4359. New Process Name: C:\Windows\System32\smss.exe
4360. Token Elevation Type: %%1936
4361. Mandatory Label: Mandatory Label\System Mandatory Level
4362. Creator Process ID: 0x1c8
4363. Creator Process Name: C:\Windows\System32\smss.exe
4364. Process Command Line:
4365.  
4366. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4367.  
4368. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4369.  
4370. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4371.  
4372. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4373. Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4374.  
4375. Creator Subject:
4376. Security ID: SYSTEM
4377. Account Name: -
4378. Account Domain: -
4379. Logon ID: 0x3E7
4380.  
4381. Target Subject:
4382. Security ID: NULL SID
4383. Account Name: -
4384. Account Domain: -
4385. Logon ID: 0x0
4386.  
4387. Process Information:
4388. New Process ID: 0x1d4
4389. New Process Name: C:\Windows\System32\autochk.exe
4390. Token Elevation Type: %%1936
4391. Mandatory Label: Mandatory Label\System Mandatory Level
4392. Creator Process ID: 0x1c8
4393. Creator Process Name: C:\Windows\System32\smss.exe
4394. Process Command Line:
4395.  
4396. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4397.  
4398. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4399.  
4400. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4401.  
4402. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4403. Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
4404.  
4405. Creator Subject:
4406. Security ID: SYSTEM
4407. Account Name: -
4408. Account Domain: -
4409. Logon ID: 0x3E7
4410.  
4411. Target Subject:
4412. Security ID: NULL SID
4413. Account Name: -
4414. Account Domain: -
4415. Logon ID: 0x0
4416.  
4417. Process Information:
4418. New Process ID: 0x1c8
4419. New Process Name: C:\Windows\System32\smss.exe
4420. Token Elevation Type: %%1936
4421. Mandatory Label: Mandatory Label\System Mandatory Level
4422. Creator Process ID: 0x4
4423. Creator Process Name:
4424. Process Command Line:
4425.  
4426. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
4427.  
4428. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
4429.  
4430. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
4431.  
4432. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4433. Audit Success 5/2/2017 7:52:08 PM Microsoft-Windows-Security-Auditing 4826 Other Policy Change Events "Boot Configuration Data loaded.
4434.  
4435. Subject:
4436. Security ID: SYSTEM
4437. Account Name: -
4438. Account Domain: -
4439. Logon ID: 0x3E7
4440.  
4441. General Settings:
4442. Load Options: -
4443. Advanced Options: No
4444. Configuration Access Policy: Default
4445. System Event Logging: No
4446. Kernel Debugging: No
4447. VSM Launch Type: Off
4448.  
4449. Signature Settings:
4450. Test Signing: No
4451. Flight Signing: No
4452. Disable Integrity Checks: No
4453.  
4454. HyperVisor Settings:
4455. HyperVisor Load Options: -
4456. HyperVisor Launch Type: Off
4457. HyperVisor Debugging: No"
4458. Audit Success 5/2/2017 7:52:11 PM Microsoft-Windows-Eventlog 1101 Event processing Audit events have been dropped by the transport. 0
4459. Audit Success 5/2/2017 7:49:14 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4460.  
4461. Subject:
4462. Security ID: SYSTEM
4463. Account Name: SYSTEM
4464. Account Domain: NT AUTHORITY
4465. Logon ID: 0x3E7
4466.  
4467. Privileges: SeAssignPrimaryTokenPrivilege
4468. SeTcbPrivilege
4469. SeSecurityPrivilege
4470. SeTakeOwnershipPrivilege
4471. SeLoadDriverPrivilege
4472. SeBackupPrivilege
4473. SeRestorePrivilege
4474. SeDebugPrivilege
4475. SeAuditPrivilege
4476. SeSystemEnvironmentPrivilege
4477. SeImpersonatePrivilege
4478. SeDelegateSessionUserImpersonatePrivilege"
4479. Audit Success 5/2/2017 7:49:14 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4480.  
4481. Subject:
4482. Security ID: SYSTEM
4483. Account Name: DESKTOP-TM5QNT2$
4484. Account Domain: WORKGROUP
4485. Logon ID: 0x3E7
4486.  
4487. Logon Information:
4488. Logon Type: 5
4489. Restricted Admin Mode: -
4490. Virtual Account: No
4491. Elevated Token: Yes
4492.  
4493. Impersonation Level: Impersonation
4494.  
4495. New Logon:
4496. Security ID: SYSTEM
4497. Account Name: SYSTEM
4498. Account Domain: NT AUTHORITY
4499. Logon ID: 0x3E7
4500. Linked Logon ID: 0x0
4501. Network Account Name: -
4502. Network Account Domain: -
4503. Logon GUID: {00000000-0000-0000-0000-000000000000}
4504.  
4505. Process Information:
4506. Process ID: 0x2f0
4507. Process Name: C:\Windows\System32\services.exe
4508.  
4509. Network Information:
4510. Workstation Name: -
4511. Source Network Address: -
4512. Source Port: -
4513.  
4514. Detailed Authentication Information:
4515. Logon Process: Advapi
4516. Authentication Package: Negotiate
4517. Transited Services: -
4518. Package Name (NTLM only): -
4519. Key Length: 0
4520.  
4521. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4522.  
4523. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4524.  
4525. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4526.  
4527. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4528.  
4529. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4530.  
4531. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4532.  
4533. The authentication information fields provide detailed information about this specific logon request.
4534. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4535. - Transited services indicate which intermediate services have participated in this logon request.
4536. - Package name indicates which sub-protocol was used among the NTLM protocols.
4537. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4538. Audit Success 5/2/2017 7:38:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4539.  
4540. Subject:
4541. Security ID: SYSTEM
4542. Account Name: SYSTEM
4543. Account Domain: NT AUTHORITY
4544. Logon ID: 0x3E7
4545.  
4546. Privileges: SeAssignPrimaryTokenPrivilege
4547. SeTcbPrivilege
4548. SeSecurityPrivilege
4549. SeTakeOwnershipPrivilege
4550. SeLoadDriverPrivilege
4551. SeBackupPrivilege
4552. SeRestorePrivilege
4553. SeDebugPrivilege
4554. SeAuditPrivilege
4555. SeSystemEnvironmentPrivilege
4556. SeImpersonatePrivilege
4557. SeDelegateSessionUserImpersonatePrivilege"
4558. Audit Success 5/2/2017 7:38:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4559.  
4560. Subject:
4561. Security ID: SYSTEM
4562. Account Name: DESKTOP-TM5QNT2$
4563. Account Domain: WORKGROUP
4564. Logon ID: 0x3E7
4565.  
4566. Logon Information:
4567. Logon Type: 5
4568. Restricted Admin Mode: -
4569. Virtual Account: No
4570. Elevated Token: Yes
4571.  
4572. Impersonation Level: Impersonation
4573.  
4574. New Logon:
4575. Security ID: SYSTEM
4576. Account Name: SYSTEM
4577. Account Domain: NT AUTHORITY
4578. Logon ID: 0x3E7
4579. Linked Logon ID: 0x0
4580. Network Account Name: -
4581. Network Account Domain: -
4582. Logon GUID: {00000000-0000-0000-0000-000000000000}
4583.  
4584. Process Information:
4585. Process ID: 0x2f0
4586. Process Name: C:\Windows\System32\services.exe
4587.  
4588. Network Information:
4589. Workstation Name: -
4590. Source Network Address: -
4591. Source Port: -
4592.  
4593. Detailed Authentication Information:
4594. Logon Process: Advapi
4595. Authentication Package: Negotiate
4596. Transited Services: -
4597. Package Name (NTLM only): -
4598. Key Length: 0
4599.  
4600. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4601.  
4602. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4603.  
4604. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4605.  
4606. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4607.  
4608. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4609.  
4610. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4611.  
4612. The authentication information fields provide detailed information about this specific logon request.
4613. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4614. - Transited services indicate which intermediate services have participated in this logon request.
4615. - Package name indicates which sub-protocol was used among the NTLM protocols.
4616. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4617. Audit Success 5/2/2017 7:25:15 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
4618.  
4619. Subject:
4620. Security ID: DESKTOP-TM5QNT2\Jai
4621. Account Name: Jai
4622. Account Domain: DESKTOP-TM5QNT2
4623. Logon ID: 0x44375
4624.  
4625. User:
4626. Security ID: DESKTOP-TM5QNT2\Jai
4627. Account Name: Jai
4628. Account Domain: DESKTOP-TM5QNT2
4629.  
4630. Process Information:
4631. Process ID: 0x11a0
4632. Process Name: C:\Program Files\WinRAR\WinRAR.exe"
4633. Audit Success 5/2/2017 7:24:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4634.  
4635. Subject:
4636. Security ID: SYSTEM
4637. Account Name: SYSTEM
4638. Account Domain: NT AUTHORITY
4639. Logon ID: 0x3E7
4640.  
4641. Privileges: SeAssignPrimaryTokenPrivilege
4642. SeTcbPrivilege
4643. SeSecurityPrivilege
4644. SeTakeOwnershipPrivilege
4645. SeLoadDriverPrivilege
4646. SeBackupPrivilege
4647. SeRestorePrivilege
4648. SeDebugPrivilege
4649. SeAuditPrivilege
4650. SeSystemEnvironmentPrivilege
4651. SeImpersonatePrivilege
4652. SeDelegateSessionUserImpersonatePrivilege"
4653. Audit Success 5/2/2017 7:24:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4654.  
4655. Subject:
4656. Security ID: SYSTEM
4657. Account Name: DESKTOP-TM5QNT2$
4658. Account Domain: WORKGROUP
4659. Logon ID: 0x3E7
4660.  
4661. Logon Information:
4662. Logon Type: 5
4663. Restricted Admin Mode: -
4664. Virtual Account: No
4665. Elevated Token: Yes
4666.  
4667. Impersonation Level: Impersonation
4668.  
4669. New Logon:
4670. Security ID: SYSTEM
4671. Account Name: SYSTEM
4672. Account Domain: NT AUTHORITY
4673. Logon ID: 0x3E7
4674. Linked Logon ID: 0x0
4675. Network Account Name: -
4676. Network Account Domain: -
4677. Logon GUID: {00000000-0000-0000-0000-000000000000}
4678.  
4679. Process Information:
4680. Process ID: 0x2f0
4681. Process Name: C:\Windows\System32\services.exe
4682.  
4683. Network Information:
4684. Workstation Name: -
4685. Source Network Address: -
4686. Source Port: -
4687.  
4688. Detailed Authentication Information:
4689. Logon Process: Advapi
4690. Authentication Package: Negotiate
4691. Transited Services: -
4692. Package Name (NTLM only): -
4693. Key Length: 0
4694.  
4695. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4696.  
4697. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4698.  
4699. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4700.  
4701. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4702.  
4703. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4704.  
4705. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4706.  
4707. The authentication information fields provide detailed information about this specific logon request.
4708. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4709. - Transited services indicate which intermediate services have participated in this logon request.
4710. - Package name indicates which sub-protocol was used among the NTLM protocols.
4711. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4712. Audit Success 5/2/2017 7:16:56 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
4713.  
4714. Subject:
4715. Security ID: DESKTOP-TM5QNT2\Jai
4716. Account Name: Jai
4717. Account Domain: DESKTOP-TM5QNT2
4718. Logon ID: 0x44375
4719.  
4720. User:
4721. Security ID: DESKTOP-TM5QNT2\Jai
4722. Account Name: Jai
4723. Account Domain: DESKTOP-TM5QNT2
4724.  
4725. Process Information:
4726. Process ID: 0x15e4
4727. Process Name: C:\Windows\explorer.exe"
4728. Audit Success 5/2/2017 7:16:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4729.  
4730. Subject:
4731. Security ID: SYSTEM
4732. Account Name: SYSTEM
4733. Account Domain: NT AUTHORITY
4734. Logon ID: 0x3E7
4735.  
4736. Privileges: SeAssignPrimaryTokenPrivilege
4737. SeTcbPrivilege
4738. SeSecurityPrivilege
4739. SeTakeOwnershipPrivilege
4740. SeLoadDriverPrivilege
4741. SeBackupPrivilege
4742. SeRestorePrivilege
4743. SeDebugPrivilege
4744. SeAuditPrivilege
4745. SeSystemEnvironmentPrivilege
4746. SeImpersonatePrivilege
4747. SeDelegateSessionUserImpersonatePrivilege"
4748. Audit Success 5/2/2017 7:16:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4749.  
4750. Subject:
4751. Security ID: SYSTEM
4752. Account Name: DESKTOP-TM5QNT2$
4753. Account Domain: WORKGROUP
4754. Logon ID: 0x3E7
4755.  
4756. Logon Information:
4757. Logon Type: 5
4758. Restricted Admin Mode: -
4759. Virtual Account: No
4760. Elevated Token: Yes
4761.  
4762. Impersonation Level: Impersonation
4763.  
4764. New Logon:
4765. Security ID: SYSTEM
4766. Account Name: SYSTEM
4767. Account Domain: NT AUTHORITY
4768. Logon ID: 0x3E7
4769. Linked Logon ID: 0x0
4770. Network Account Name: -
4771. Network Account Domain: -
4772. Logon GUID: {00000000-0000-0000-0000-000000000000}
4773.  
4774. Process Information:
4775. Process ID: 0x2f0
4776. Process Name: C:\Windows\System32\services.exe
4777.  
4778. Network Information:
4779. Workstation Name: -
4780. Source Network Address: -
4781. Source Port: -
4782.  
4783. Detailed Authentication Information:
4784. Logon Process: Advapi
4785. Authentication Package: Negotiate
4786. Transited Services: -
4787. Package Name (NTLM only): -
4788. Key Length: 0
4789.  
4790. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4791.  
4792. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4793.  
4794. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4795.  
4796. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4797.  
4798. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4799.  
4800. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4801.  
4802. The authentication information fields provide detailed information about this specific logon request.
4803. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4804. - Transited services indicate which intermediate services have participated in this logon request.
4805. - Package name indicates which sub-protocol was used among the NTLM protocols.
4806. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4807. Audit Success 5/2/2017 7:15:24 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
4808.  
4809. Subject:
4810. Security ID: DESKTOP-TM5QNT2\Jai
4811. Account Name: Jai
4812. Account Domain: DESKTOP-TM5QNT2
4813. Logon ID: 0x44375
4814.  
4815. User:
4816. Security ID: DESKTOP-TM5QNT2\Jai
4817. Account Name: Jai
4818. Account Domain: DESKTOP-TM5QNT2
4819.  
4820. Process Information:
4821. Process ID: 0x1d30
4822. Process Name: C:\Program Files\WinRAR\WinRAR.exe"
4823. Audit Success 5/2/2017 7:15:21 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4824.  
4825. Subject:
4826. Security ID: SYSTEM
4827. Account Name: SYSTEM
4828. Account Domain: NT AUTHORITY
4829. Logon ID: 0x3E7
4830.  
4831. Privileges: SeAssignPrimaryTokenPrivilege
4832. SeTcbPrivilege
4833. SeSecurityPrivilege
4834. SeTakeOwnershipPrivilege
4835. SeLoadDriverPrivilege
4836. SeBackupPrivilege
4837. SeRestorePrivilege
4838. SeDebugPrivilege
4839. SeAuditPrivilege
4840. SeSystemEnvironmentPrivilege
4841. SeImpersonatePrivilege
4842. SeDelegateSessionUserImpersonatePrivilege"
4843. Audit Success 5/2/2017 7:15:21 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4844.  
4845. Subject:
4846. Security ID: SYSTEM
4847. Account Name: DESKTOP-TM5QNT2$
4848. Account Domain: WORKGROUP
4849. Logon ID: 0x3E7
4850.  
4851. Logon Information:
4852. Logon Type: 5
4853. Restricted Admin Mode: -
4854. Virtual Account: No
4855. Elevated Token: Yes
4856.  
4857. Impersonation Level: Impersonation
4858.  
4859. New Logon:
4860. Security ID: SYSTEM
4861. Account Name: SYSTEM
4862. Account Domain: NT AUTHORITY
4863. Logon ID: 0x3E7
4864. Linked Logon ID: 0x0
4865. Network Account Name: -
4866. Network Account Domain: -
4867. Logon GUID: {00000000-0000-0000-0000-000000000000}
4868.  
4869. Process Information:
4870. Process ID: 0x2f0
4871. Process Name: C:\Windows\System32\services.exe
4872.  
4873. Network Information:
4874. Workstation Name: -
4875. Source Network Address: -
4876. Source Port: -
4877.  
4878. Detailed Authentication Information:
4879. Logon Process: Advapi
4880. Authentication Package: Negotiate
4881. Transited Services: -
4882. Package Name (NTLM only): -
4883. Key Length: 0
4884.  
4885. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4886.  
4887. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4888.  
4889. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
4890.  
4891. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
4892.  
4893. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
4894.  
4895. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
4896.  
4897. The authentication information fields provide detailed information about this specific logon request.
4898. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
4899. - Transited services indicate which intermediate services have participated in this logon request.
4900. - Package name indicates which sub-protocol was used among the NTLM protocols.
4901. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4902. Audit Success 5/2/2017 7:15:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
4903.  
4904. Subject:
4905. Security ID: DESKTOP-TM5QNT2\Jai
4906. Account Name: Jai
4907. Account Domain: DESKTOP-TM5QNT2
4908. Logon ID: 0x44375
4909.  
4910. User:
4911. Security ID: DESKTOP-TM5QNT2\Jai
4912. Account Name: Jai
4913. Account Domain: DESKTOP-TM5QNT2
4914.  
4915. Process Information:
4916. Process ID: 0x15e4
4917. Process Name: C:\Windows\explorer.exe"
4918. Audit Success 5/2/2017 7:15:17 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
4919.  
4920. Subject:
4921. Security ID: DESKTOP-TM5QNT2\Jai
4922. Account Name: Jai
4923. Account Domain: DESKTOP-TM5QNT2
4924. Logon ID: 0x44375
4925.  
4926. User:
4927. Security ID: DESKTOP-TM5QNT2\Jai
4928. Account Name: Jai
4929. Account Domain: DESKTOP-TM5QNT2
4930.  
4931. Process Information:
4932. Process ID: 0x15e4
4933. Process Name: C:\Windows\explorer.exe"
4934. Audit Success 5/2/2017 7:15:13 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
4935.  
4936. Subject:
4937. Security ID: SYSTEM
4938. Account Name: SYSTEM
4939. Account Domain: NT AUTHORITY
4940. Logon ID: 0x3E7
4941.  
4942. Privileges: SeAssignPrimaryTokenPrivilege
4943. SeTcbPrivilege
4944. SeSecurityPrivilege
4945. SeTakeOwnershipPrivilege
4946. SeLoadDriverPrivilege
4947. SeBackupPrivilege
4948. SeRestorePrivilege
4949. SeDebugPrivilege
4950. SeAuditPrivilege
4951. SeSystemEnvironmentPrivilege
4952. SeImpersonatePrivilege
4953. SeDelegateSessionUserImpersonatePrivilege"
4954. Audit Success 5/2/2017 7:15:13 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
4955.  
4956. Subject:
4957. Security ID: SYSTEM
4958. Account Name: DESKTOP-TM5QNT2$
4959. Account Domain: WORKGROUP
4960. Logon ID: 0x3E7
4961.  
4962. Logon Information:
4963. Logon Type: 5
4964. Restricted Admin Mode: -
4965. Virtual Account: No
4966. Elevated Token: Yes
4967.  
4968. Impersonation Level: Impersonation
4969.  
4970. New Logon:
4971. Security ID: SYSTEM
4972. Account Name: SYSTEM
4973. Account Domain: NT AUTHORITY
4974. Logon ID: 0x3E7
4975. Linked Logon ID: 0x0
4976. Network Account Name: -
4977. Network Account Domain: -
4978. Logon GUID: {00000000-0000-0000-0000-000000000000}
4979.  
4980. Process Information:
4981. Process ID: 0x2f0
4982. Process Name: C:\Windows\System32\services.exe
4983.  
4984. Network Information:
4985. Workstation Name: -
4986. Source Network Address: -
4987. Source Port: -
4988.  
4989. Detailed Authentication Information:
4990. Logon Process: Advapi
4991. Authentication Package: Negotiate
4992. Transited Services: -
4993. Package Name (NTLM only): -
4994. Key Length: 0
4995.  
4996. This event is generated when a logon session is created. It is generated on the computer that was accessed.
4997.  
4998. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
4999.  
5000. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5001.  
5002. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5003.  
5004. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5005.  
5006. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5007.  
5008. The authentication information fields provide detailed information about this specific logon request.
5009. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5010. - Transited services indicate which intermediate services have participated in this logon request.
5011. - Package name indicates which sub-protocol was used among the NTLM protocols.
5012. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5013. Audit Success 5/2/2017 7:05:41 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5014.  
5015. Subject:
5016. Security ID: SYSTEM
5017. Account Name: SYSTEM
5018. Account Domain: NT AUTHORITY
5019. Logon ID: 0x3E7
5020.  
5021. Privileges: SeAssignPrimaryTokenPrivilege
5022. SeTcbPrivilege
5023. SeSecurityPrivilege
5024. SeTakeOwnershipPrivilege
5025. SeLoadDriverPrivilege
5026. SeBackupPrivilege
5027. SeRestorePrivilege
5028. SeDebugPrivilege
5029. SeAuditPrivilege
5030. SeSystemEnvironmentPrivilege
5031. SeImpersonatePrivilege
5032. SeDelegateSessionUserImpersonatePrivilege"
5033. Audit Success 5/2/2017 7:05:41 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5034.  
5035. Subject:
5036. Security ID: SYSTEM
5037. Account Name: DESKTOP-TM5QNT2$
5038. Account Domain: WORKGROUP
5039. Logon ID: 0x3E7
5040.  
5041. Logon Information:
5042. Logon Type: 5
5043. Restricted Admin Mode: -
5044. Virtual Account: No
5045. Elevated Token: Yes
5046.  
5047. Impersonation Level: Impersonation
5048.  
5049. New Logon:
5050. Security ID: SYSTEM
5051. Account Name: SYSTEM
5052. Account Domain: NT AUTHORITY
5053. Logon ID: 0x3E7
5054. Linked Logon ID: 0x0
5055. Network Account Name: -
5056. Network Account Domain: -
5057. Logon GUID: {00000000-0000-0000-0000-000000000000}
5058.  
5059. Process Information:
5060. Process ID: 0x2f0
5061. Process Name: C:\Windows\System32\services.exe
5062.  
5063. Network Information:
5064. Workstation Name: -
5065. Source Network Address: -
5066. Source Port: -
5067.  
5068. Detailed Authentication Information:
5069. Logon Process: Advapi
5070. Authentication Package: Negotiate
5071. Transited Services: -
5072. Package Name (NTLM only): -
5073. Key Length: 0
5074.  
5075. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5076.  
5077. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5078.  
5079. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5080.  
5081. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5082.  
5083. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5084.  
5085. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5086.  
5087. The authentication information fields provide detailed information about this specific logon request.
5088. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5089. - Transited services indicate which intermediate services have participated in this logon request.
5090. - Package name indicates which sub-protocol was used among the NTLM protocols.
5091. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5092. Audit Success 5/2/2017 6:51:05 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5093.  
5094. Subject:
5095. Security ID: SYSTEM
5096. Account Name: SYSTEM
5097. Account Domain: NT AUTHORITY
5098. Logon ID: 0x3E7
5099.  
5100. Privileges: SeAssignPrimaryTokenPrivilege
5101. SeTcbPrivilege
5102. SeSecurityPrivilege
5103. SeTakeOwnershipPrivilege
5104. SeLoadDriverPrivilege
5105. SeBackupPrivilege
5106. SeRestorePrivilege
5107. SeDebugPrivilege
5108. SeAuditPrivilege
5109. SeSystemEnvironmentPrivilege
5110. SeImpersonatePrivilege
5111. SeDelegateSessionUserImpersonatePrivilege"
5112. Audit Success 5/2/2017 6:51:05 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5113.  
5114. Subject:
5115. Security ID: SYSTEM
5116. Account Name: DESKTOP-TM5QNT2$
5117. Account Domain: WORKGROUP
5118. Logon ID: 0x3E7
5119.  
5120. Logon Information:
5121. Logon Type: 5
5122. Restricted Admin Mode: -
5123. Virtual Account: No
5124. Elevated Token: Yes
5125.  
5126. Impersonation Level: Impersonation
5127.  
5128. New Logon:
5129. Security ID: SYSTEM
5130. Account Name: SYSTEM
5131. Account Domain: NT AUTHORITY
5132. Logon ID: 0x3E7
5133. Linked Logon ID: 0x0
5134. Network Account Name: -
5135. Network Account Domain: -
5136. Logon GUID: {00000000-0000-0000-0000-000000000000}
5137.  
5138. Process Information:
5139. Process ID: 0x2f0
5140. Process Name: C:\Windows\System32\services.exe
5141.  
5142. Network Information:
5143. Workstation Name: -
5144. Source Network Address: -
5145. Source Port: -
5146.  
5147. Detailed Authentication Information:
5148. Logon Process: Advapi
5149. Authentication Package: Negotiate
5150. Transited Services: -
5151. Package Name (NTLM only): -
5152. Key Length: 0
5153.  
5154. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5155.  
5156. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5157.  
5158. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5159.  
5160. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5161.  
5162. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5163.  
5164. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5165.  
5166. The authentication information fields provide detailed information about this specific logon request.
5167. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5168. - Transited services indicate which intermediate services have participated in this logon request.
5169. - Package name indicates which sub-protocol was used among the NTLM protocols.
5170. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5171. Audit Success 5/2/2017 6:26:40 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5172.  
5173. Subject:
5174. Security ID: SYSTEM
5175. Account Name: SYSTEM
5176. Account Domain: NT AUTHORITY
5177. Logon ID: 0x3E7
5178.  
5179. Privileges: SeAssignPrimaryTokenPrivilege
5180. SeTcbPrivilege
5181. SeSecurityPrivilege
5182. SeTakeOwnershipPrivilege
5183. SeLoadDriverPrivilege
5184. SeBackupPrivilege
5185. SeRestorePrivilege
5186. SeDebugPrivilege
5187. SeAuditPrivilege
5188. SeSystemEnvironmentPrivilege
5189. SeImpersonatePrivilege
5190. SeDelegateSessionUserImpersonatePrivilege"
5191. Audit Success 5/2/2017 6:26:40 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5192.  
5193. Subject:
5194. Security ID: SYSTEM
5195. Account Name: DESKTOP-TM5QNT2$
5196. Account Domain: WORKGROUP
5197. Logon ID: 0x3E7
5198.  
5199. Logon Information:
5200. Logon Type: 5
5201. Restricted Admin Mode: -
5202. Virtual Account: No
5203. Elevated Token: Yes
5204.  
5205. Impersonation Level: Impersonation
5206.  
5207. New Logon:
5208. Security ID: SYSTEM
5209. Account Name: SYSTEM
5210. Account Domain: NT AUTHORITY
5211. Logon ID: 0x3E7
5212. Linked Logon ID: 0x0
5213. Network Account Name: -
5214. Network Account Domain: -
5215. Logon GUID: {00000000-0000-0000-0000-000000000000}
5216.  
5217. Process Information:
5218. Process ID: 0x2f0
5219. Process Name: C:\Windows\System32\services.exe
5220.  
5221. Network Information:
5222. Workstation Name: -
5223. Source Network Address: -
5224. Source Port: -
5225.  
5226. Detailed Authentication Information:
5227. Logon Process: Advapi
5228. Authentication Package: Negotiate
5229. Transited Services: -
5230. Package Name (NTLM only): -
5231. Key Length: 0
5232.  
5233. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5234.  
5235. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5236.  
5237. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5238.  
5239. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5240.  
5241. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5242.  
5243. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5244.  
5245. The authentication information fields provide detailed information about this specific logon request.
5246. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5247. - Transited services indicate which intermediate services have participated in this logon request.
5248. - Package name indicates which sub-protocol was used among the NTLM protocols.
5249. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5250. Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
5251.  
5252. Subject:
5253. Security ID: DESKTOP-TM5QNT2\Jai
5254. Account Name: Jai
5255. Account Domain: DESKTOP-TM5QNT2
5256. Logon ID: 0x44375
5257.  
5258. User:
5259. Security ID: DESKTOP-TM5QNT2\Jai
5260. Account Name: Jai
5261. Account Domain: DESKTOP-TM5QNT2
5262.  
5263. Process Information:
5264. Process ID: 0x15e4
5265. Process Name: C:\Windows\explorer.exe"
5266. Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5267.  
5268. Subject:
5269. Security ID: SYSTEM
5270. Account Name: SYSTEM
5271. Account Domain: NT AUTHORITY
5272. Logon ID: 0x3E7
5273.  
5274. Privileges: SeAssignPrimaryTokenPrivilege
5275. SeTcbPrivilege
5276. SeSecurityPrivilege
5277. SeTakeOwnershipPrivilege
5278. SeLoadDriverPrivilege
5279. SeBackupPrivilege
5280. SeRestorePrivilege
5281. SeDebugPrivilege
5282. SeAuditPrivilege
5283. SeSystemEnvironmentPrivilege
5284. SeImpersonatePrivilege
5285. SeDelegateSessionUserImpersonatePrivilege"
5286. Audit Success 5/2/2017 6:26:18 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5287.  
5288. Subject:
5289. Security ID: SYSTEM
5290. Account Name: DESKTOP-TM5QNT2$
5291. Account Domain: WORKGROUP
5292. Logon ID: 0x3E7
5293.  
5294. Logon Information:
5295. Logon Type: 5
5296. Restricted Admin Mode: -
5297. Virtual Account: No
5298. Elevated Token: Yes
5299.  
5300. Impersonation Level: Impersonation
5301.  
5302. New Logon:
5303. Security ID: SYSTEM
5304. Account Name: SYSTEM
5305. Account Domain: NT AUTHORITY
5306. Logon ID: 0x3E7
5307. Linked Logon ID: 0x0
5308. Network Account Name: -
5309. Network Account Domain: -
5310. Logon GUID: {00000000-0000-0000-0000-000000000000}
5311.  
5312. Process Information:
5313. Process ID: 0x2f0
5314. Process Name: C:\Windows\System32\services.exe
5315.  
5316. Network Information:
5317. Workstation Name: -
5318. Source Network Address: -
5319. Source Port: -
5320.  
5321. Detailed Authentication Information:
5322. Logon Process: Advapi
5323. Authentication Package: Negotiate
5324. Transited Services: -
5325. Package Name (NTLM only): -
5326. Key Length: 0
5327.  
5328. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5329.  
5330. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5331.  
5332. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5333.  
5334. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5335.  
5336. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5337.  
5338. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5339.  
5340. The authentication information fields provide detailed information about this specific logon request.
5341. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5342. - Transited services indicate which intermediate services have participated in this logon request.
5343. - Package name indicates which sub-protocol was used among the NTLM protocols.
5344. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5345. Audit Success 5/2/2017 6:22:46 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5346.  
5347. Subject:
5348. Security ID: SYSTEM
5349. Account Name: SYSTEM
5350. Account Domain: NT AUTHORITY
5351. Logon ID: 0x3E7
5352.  
5353. Privileges: SeAssignPrimaryTokenPrivilege
5354. SeTcbPrivilege
5355. SeSecurityPrivilege
5356. SeTakeOwnershipPrivilege
5357. SeLoadDriverPrivilege
5358. SeBackupPrivilege
5359. SeRestorePrivilege
5360. SeDebugPrivilege
5361. SeAuditPrivilege
5362. SeSystemEnvironmentPrivilege
5363. SeImpersonatePrivilege
5364. SeDelegateSessionUserImpersonatePrivilege"
5365. Audit Success 5/2/2017 6:22:46 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5366.  
5367. Subject:
5368. Security ID: SYSTEM
5369. Account Name: DESKTOP-TM5QNT2$
5370. Account Domain: WORKGROUP
5371. Logon ID: 0x3E7
5372.  
5373. Logon Information:
5374. Logon Type: 5
5375. Restricted Admin Mode: -
5376. Virtual Account: No
5377. Elevated Token: Yes
5378.  
5379. Impersonation Level: Impersonation
5380.  
5381. New Logon:
5382. Security ID: SYSTEM
5383. Account Name: SYSTEM
5384. Account Domain: NT AUTHORITY
5385. Logon ID: 0x3E7
5386. Linked Logon ID: 0x0
5387. Network Account Name: -
5388. Network Account Domain: -
5389. Logon GUID: {00000000-0000-0000-0000-000000000000}
5390.  
5391. Process Information:
5392. Process ID: 0x2f0
5393. Process Name: C:\Windows\System32\services.exe
5394.  
5395. Network Information:
5396. Workstation Name: -
5397. Source Network Address: -
5398. Source Port: -
5399.  
5400. Detailed Authentication Information:
5401. Logon Process: Advapi
5402. Authentication Package: Negotiate
5403. Transited Services: -
5404. Package Name (NTLM only): -
5405. Key Length: 0
5406.  
5407. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5408.  
5409. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5410.  
5411. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5412.  
5413. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5414.  
5415. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5416.  
5417. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5418.  
5419. The authentication information fields provide detailed information about this specific logon request.
5420. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5421. - Transited services indicate which intermediate services have participated in this logon request.
5422. - Package name indicates which sub-protocol was used among the NTLM protocols.
5423. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5424. Audit Success 5/2/2017 6:19:06 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
5425.  
5426. Subject:
5427. Security ID: DESKTOP-TM5QNT2\Jai
5428. Account Name: Jai
5429. Account Domain: DESKTOP-TM5QNT2
5430. Logon ID: 0x44375
5431.  
5432. User:
5433. Security ID: DESKTOP-TM5QNT2\Jai
5434. Account Name: Jai
5435. Account Domain: DESKTOP-TM5QNT2
5436.  
5437. Process Information:
5438. Process ID: 0x15e4
5439. Process Name: C:\Windows\explorer.exe"
5440. Audit Success 5/2/2017 6:17:29 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
5441.  
5442. Subject:
5443. Security ID: DESKTOP-TM5QNT2\Jai
5444. Account Name: Jai
5445. Account Domain: DESKTOP-TM5QNT2
5446. Logon ID: 0x44375
5447.  
5448. User:
5449. Security ID: DESKTOP-TM5QNT2\Jai
5450. Account Name: Jai
5451. Account Domain: DESKTOP-TM5QNT2
5452.  
5453. Process Information:
5454. Process ID: 0x15e4
5455. Process Name: C:\Windows\explorer.exe"
5456. Audit Success 5/2/2017 6:17:28 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5457.  
5458. Subject:
5459. Security ID: SYSTEM
5460. Account Name: SYSTEM
5461. Account Domain: NT AUTHORITY
5462. Logon ID: 0x3E7
5463.  
5464. Privileges: SeAssignPrimaryTokenPrivilege
5465. SeTcbPrivilege
5466. SeSecurityPrivilege
5467. SeTakeOwnershipPrivilege
5468. SeLoadDriverPrivilege
5469. SeBackupPrivilege
5470. SeRestorePrivilege
5471. SeDebugPrivilege
5472. SeAuditPrivilege
5473. SeSystemEnvironmentPrivilege
5474. SeImpersonatePrivilege
5475. SeDelegateSessionUserImpersonatePrivilege"
5476. Audit Success 5/2/2017 6:17:28 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5477.  
5478. Subject:
5479. Security ID: SYSTEM
5480. Account Name: DESKTOP-TM5QNT2$
5481. Account Domain: WORKGROUP
5482. Logon ID: 0x3E7
5483.  
5484. Logon Information:
5485. Logon Type: 5
5486. Restricted Admin Mode: -
5487. Virtual Account: No
5488. Elevated Token: Yes
5489.  
5490. Impersonation Level: Impersonation
5491.  
5492. New Logon:
5493. Security ID: SYSTEM
5494. Account Name: SYSTEM
5495. Account Domain: NT AUTHORITY
5496. Logon ID: 0x3E7
5497. Linked Logon ID: 0x0
5498. Network Account Name: -
5499. Network Account Domain: -
5500. Logon GUID: {00000000-0000-0000-0000-000000000000}
5501.  
5502. Process Information:
5503. Process ID: 0x2f0
5504. Process Name: C:\Windows\System32\services.exe
5505.  
5506. Network Information:
5507. Workstation Name: -
5508. Source Network Address: -
5509. Source Port: -
5510.  
5511. Detailed Authentication Information:
5512. Logon Process: Advapi
5513. Authentication Package: Negotiate
5514. Transited Services: -
5515. Package Name (NTLM only): -
5516. Key Length: 0
5517.  
5518. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5519.  
5520. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5521.  
5522. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5523.  
5524. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5525.  
5526. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5527.  
5528. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5529.  
5530. The authentication information fields provide detailed information about this specific logon request.
5531. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5532. - Transited services indicate which intermediate services have participated in this logon request.
5533. - Package name indicates which sub-protocol was used among the NTLM protocols.
5534. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5535. Audit Success 5/2/2017 6:15:21 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5536.  
5537. Subject:
5538. Security ID: SYSTEM
5539. Account Name: SYSTEM
5540. Account Domain: NT AUTHORITY
5541. Logon ID: 0x3E7
5542.  
5543. Privileges: SeAssignPrimaryTokenPrivilege
5544. SeTcbPrivilege
5545. SeSecurityPrivilege
5546. SeTakeOwnershipPrivilege
5547. SeLoadDriverPrivilege
5548. SeBackupPrivilege
5549. SeRestorePrivilege
5550. SeDebugPrivilege
5551. SeAuditPrivilege
5552. SeSystemEnvironmentPrivilege
5553. SeImpersonatePrivilege
5554. SeDelegateSessionUserImpersonatePrivilege"
5555. Audit Success 5/2/2017 6:15:21 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5556.  
5557. Subject:
5558. Security ID: SYSTEM
5559. Account Name: DESKTOP-TM5QNT2$
5560. Account Domain: WORKGROUP
5561. Logon ID: 0x3E7
5562.  
5563. Logon Information:
5564. Logon Type: 5
5565. Restricted Admin Mode: -
5566. Virtual Account: No
5567. Elevated Token: Yes
5568.  
5569. Impersonation Level: Impersonation
5570.  
5571. New Logon:
5572. Security ID: SYSTEM
5573. Account Name: SYSTEM
5574. Account Domain: NT AUTHORITY
5575. Logon ID: 0x3E7
5576. Linked Logon ID: 0x0
5577. Network Account Name: -
5578. Network Account Domain: -
5579. Logon GUID: {00000000-0000-0000-0000-000000000000}
5580.  
5581. Process Information:
5582. Process ID: 0x2f0
5583. Process Name: C:\Windows\System32\services.exe
5584.  
5585. Network Information:
5586. Workstation Name: -
5587. Source Network Address: -
5588. Source Port: -
5589.  
5590. Detailed Authentication Information:
5591. Logon Process: Advapi
5592. Authentication Package: Negotiate
5593. Transited Services: -
5594. Package Name (NTLM only): -
5595. Key Length: 0
5596.  
5597. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5598.  
5599. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5600.  
5601. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5602.  
5603. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5604.  
5605. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5606.  
5607. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5608.  
5609. The authentication information fields provide detailed information about this specific logon request.
5610. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5611. - Transited services indicate which intermediate services have participated in this logon request.
5612. - Package name indicates which sub-protocol was used among the NTLM protocols.
5613. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5614. Audit Success 5/2/2017 6:15:12 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5615.  
5616. Subject:
5617. Security ID: SYSTEM
5618. Account Name: SYSTEM
5619. Account Domain: NT AUTHORITY
5620. Logon ID: 0x3E7
5621.  
5622. Privileges: SeAssignPrimaryTokenPrivilege
5623. SeTcbPrivilege
5624. SeSecurityPrivilege
5625. SeTakeOwnershipPrivilege
5626. SeLoadDriverPrivilege
5627. SeBackupPrivilege
5628. SeRestorePrivilege
5629. SeDebugPrivilege
5630. SeAuditPrivilege
5631. SeSystemEnvironmentPrivilege
5632. SeImpersonatePrivilege
5633. SeDelegateSessionUserImpersonatePrivilege"
5634. Audit Success 5/2/2017 6:15:12 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5635.  
5636. Subject:
5637. Security ID: SYSTEM
5638. Account Name: DESKTOP-TM5QNT2$
5639. Account Domain: WORKGROUP
5640. Logon ID: 0x3E7
5641.  
5642. Logon Information:
5643. Logon Type: 5
5644. Restricted Admin Mode: -
5645. Virtual Account: No
5646. Elevated Token: Yes
5647.  
5648. Impersonation Level: Impersonation
5649.  
5650. New Logon:
5651. Security ID: SYSTEM
5652. Account Name: SYSTEM
5653. Account Domain: NT AUTHORITY
5654. Logon ID: 0x3E7
5655. Linked Logon ID: 0x0
5656. Network Account Name: -
5657. Network Account Domain: -
5658. Logon GUID: {00000000-0000-0000-0000-000000000000}
5659.  
5660. Process Information:
5661. Process ID: 0x2f0
5662. Process Name: C:\Windows\System32\services.exe
5663.  
5664. Network Information:
5665. Workstation Name: -
5666. Source Network Address: -
5667. Source Port: -
5668.  
5669. Detailed Authentication Information:
5670. Logon Process: Advapi
5671. Authentication Package: Negotiate
5672. Transited Services: -
5673. Package Name (NTLM only): -
5674. Key Length: 0
5675.  
5676. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5677.  
5678. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5679.  
5680. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5681.  
5682. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5683.  
5684. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5685.  
5686. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5687.  
5688. The authentication information fields provide detailed information about this specific logon request.
5689. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5690. - Transited services indicate which intermediate services have participated in this logon request.
5691. - Package name indicates which sub-protocol was used among the NTLM protocols.
5692. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5693. Audit Success 5/2/2017 6:15:09 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
5694.  
5695. Subject:
5696. Security ID: DESKTOP-TM5QNT2\Jai
5697. Account Name: Jai
5698. Account Domain: DESKTOP-TM5QNT2
5699. Logon ID: 0x44375
5700.  
5701. User:
5702. Security ID: DESKTOP-TM5QNT2\Jai
5703. Account Name: Jai
5704. Account Domain: DESKTOP-TM5QNT2
5705.  
5706. Process Information:
5707. Process ID: 0x15e4
5708. Process Name: C:\Windows\explorer.exe"
5709. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
5710.  
5711. Subject:
5712. Security ID: SYSTEM
5713. Account Name: DESKTOP-TM5QNT2$
5714. Account Domain: WORKGROUP
5715. Logon ID: 0x3E7
5716.  
5717. Group:
5718. Security ID: BUILTIN\Administrators
5719. Group Name: Administrators
5720. Group Domain: Builtin
5721.  
5722. Process Information:
5723. Process ID: 0x27e4
5724. Process Name: C:\Windows\System32\VSSVC.exe"
5725. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
5726.  
5727. Subject:
5728. Security ID: SYSTEM
5729. Account Name: DESKTOP-TM5QNT2$
5730. Account Domain: WORKGROUP
5731. Logon ID: 0x3E7
5732.  
5733. Group:
5734. Security ID: BUILTIN\Administrators
5735. Group Name: Administrators
5736. Group Domain: Builtin
5737.  
5738. Process Information:
5739. Process ID: 0x27e4
5740. Process Name: C:\Windows\System32\VSSVC.exe"
5741. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
5742.  
5743. Subject:
5744. Security ID: SYSTEM
5745. Account Name: DESKTOP-TM5QNT2$
5746. Account Domain: WORKGROUP
5747. Logon ID: 0x3E7
5748.  
5749. Group:
5750. Security ID: BUILTIN\Administrators
5751. Group Name: Administrators
5752. Group Domain: Builtin
5753.  
5754. Process Information:
5755. Process ID: 0x27e4
5756. Process Name: C:\Windows\System32\VSSVC.exe"
5757. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5758.  
5759. Subject:
5760. Security ID: SYSTEM
5761. Account Name: SYSTEM
5762. Account Domain: NT AUTHORITY
5763. Logon ID: 0x3E7
5764.  
5765. Privileges: SeAssignPrimaryTokenPrivilege
5766. SeTcbPrivilege
5767. SeSecurityPrivilege
5768. SeTakeOwnershipPrivilege
5769. SeLoadDriverPrivilege
5770. SeBackupPrivilege
5771. SeRestorePrivilege
5772. SeDebugPrivilege
5773. SeAuditPrivilege
5774. SeSystemEnvironmentPrivilege
5775. SeImpersonatePrivilege
5776. SeDelegateSessionUserImpersonatePrivilege"
5777. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5778.  
5779. Subject:
5780. Security ID: SYSTEM
5781. Account Name: DESKTOP-TM5QNT2$
5782. Account Domain: WORKGROUP
5783. Logon ID: 0x3E7
5784.  
5785. Logon Information:
5786. Logon Type: 5
5787. Restricted Admin Mode: -
5788. Virtual Account: No
5789. Elevated Token: Yes
5790.  
5791. Impersonation Level: Impersonation
5792.  
5793. New Logon:
5794. Security ID: SYSTEM
5795. Account Name: SYSTEM
5796. Account Domain: NT AUTHORITY
5797. Logon ID: 0x3E7
5798. Linked Logon ID: 0x0
5799. Network Account Name: -
5800. Network Account Domain: -
5801. Logon GUID: {00000000-0000-0000-0000-000000000000}
5802.  
5803. Process Information:
5804. Process ID: 0x2f0
5805. Process Name: C:\Windows\System32\services.exe
5806.  
5807. Network Information:
5808. Workstation Name: -
5809. Source Network Address: -
5810. Source Port: -
5811.  
5812. Detailed Authentication Information:
5813. Logon Process: Advapi
5814. Authentication Package: Negotiate
5815. Transited Services: -
5816. Package Name (NTLM only): -
5817. Key Length: 0
5818.  
5819. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5820.  
5821. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5822.  
5823. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5824.  
5825. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5826.  
5827. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5828.  
5829. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5830.  
5831. The authentication information fields provide detailed information about this specific logon request.
5832. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5833. - Transited services indicate which intermediate services have participated in this logon request.
5834. - Package name indicates which sub-protocol was used among the NTLM protocols.
5835. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5836. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
5837.  
5838. Subject:
5839. Security ID: SYSTEM
5840. Account Name: DESKTOP-TM5QNT2$
5841. Account Domain: WORKGROUP
5842. Logon ID: 0x3E7
5843.  
5844. Group:
5845. Security ID: BUILTIN\Administrators
5846. Group Name: Administrators
5847. Group Domain: Builtin
5848.  
5849. Process Information:
5850. Process ID: 0x27e4
5851. Process Name: C:\Windows\System32\VSSVC.exe"
5852. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5853.  
5854. Subject:
5855. Security ID: SYSTEM
5856. Account Name: SYSTEM
5857. Account Domain: NT AUTHORITY
5858. Logon ID: 0x3E7
5859.  
5860. Privileges: SeAssignPrimaryTokenPrivilege
5861. SeTcbPrivilege
5862. SeSecurityPrivilege
5863. SeTakeOwnershipPrivilege
5864. SeLoadDriverPrivilege
5865. SeBackupPrivilege
5866. SeRestorePrivilege
5867. SeDebugPrivilege
5868. SeAuditPrivilege
5869. SeSystemEnvironmentPrivilege
5870. SeImpersonatePrivilege
5871. SeDelegateSessionUserImpersonatePrivilege"
5872. Audit Success 5/2/2017 6:15:02 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5873.  
5874. Subject:
5875. Security ID: SYSTEM
5876. Account Name: DESKTOP-TM5QNT2$
5877. Account Domain: WORKGROUP
5878. Logon ID: 0x3E7
5879.  
5880. Logon Information:
5881. Logon Type: 5
5882. Restricted Admin Mode: -
5883. Virtual Account: No
5884. Elevated Token: Yes
5885.  
5886. Impersonation Level: Impersonation
5887.  
5888. New Logon:
5889. Security ID: SYSTEM
5890. Account Name: SYSTEM
5891. Account Domain: NT AUTHORITY
5892. Logon ID: 0x3E7
5893. Linked Logon ID: 0x0
5894. Network Account Name: -
5895. Network Account Domain: -
5896. Logon GUID: {00000000-0000-0000-0000-000000000000}
5897.  
5898. Process Information:
5899. Process ID: 0x2f0
5900. Process Name: C:\Windows\System32\services.exe
5901.  
5902. Network Information:
5903. Workstation Name: -
5904. Source Network Address: -
5905. Source Port: -
5906.  
5907. Detailed Authentication Information:
5908. Logon Process: Advapi
5909. Authentication Package: Negotiate
5910. Transited Services: -
5911. Package Name (NTLM only): -
5912. Key Length: 0
5913.  
5914. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5915.  
5916. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5917.  
5918. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5919.  
5920. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
5921.  
5922. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
5923.  
5924. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
5925.  
5926. The authentication information fields provide detailed information about this specific logon request.
5927. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
5928. - Transited services indicate which intermediate services have participated in this logon request.
5929. - Package name indicates which sub-protocol was used among the NTLM protocols.
5930. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
5931. Audit Success 5/2/2017 6:15:00 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
5932.  
5933. Subject:
5934. Security ID: SYSTEM
5935. Account Name: SYSTEM
5936. Account Domain: NT AUTHORITY
5937. Logon ID: 0x3E7
5938.  
5939. Privileges: SeAssignPrimaryTokenPrivilege
5940. SeTcbPrivilege
5941. SeSecurityPrivilege
5942. SeTakeOwnershipPrivilege
5943. SeLoadDriverPrivilege
5944. SeBackupPrivilege
5945. SeRestorePrivilege
5946. SeDebugPrivilege
5947. SeAuditPrivilege
5948. SeSystemEnvironmentPrivilege
5949. SeImpersonatePrivilege
5950. SeDelegateSessionUserImpersonatePrivilege"
5951. Audit Success 5/2/2017 6:15:00 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
5952.  
5953. Subject:
5954. Security ID: SYSTEM
5955. Account Name: DESKTOP-TM5QNT2$
5956. Account Domain: WORKGROUP
5957. Logon ID: 0x3E7
5958.  
5959. Logon Information:
5960. Logon Type: 5
5961. Restricted Admin Mode: -
5962. Virtual Account: No
5963. Elevated Token: Yes
5964.  
5965. Impersonation Level: Impersonation
5966.  
5967. New Logon:
5968. Security ID: SYSTEM
5969. Account Name: SYSTEM
5970. Account Domain: NT AUTHORITY
5971. Logon ID: 0x3E7
5972. Linked Logon ID: 0x0
5973. Network Account Name: -
5974. Network Account Domain: -
5975. Logon GUID: {00000000-0000-0000-0000-000000000000}
5976.  
5977. Process Information:
5978. Process ID: 0x2f0
5979. Process Name: C:\Windows\System32\services.exe
5980.  
5981. Network Information:
5982. Workstation Name: -
5983. Source Network Address: -
5984. Source Port: -
5985.  
5986. Detailed Authentication Information:
5987. Logon Process: Advapi
5988. Authentication Package: Negotiate
5989. Transited Services: -
5990. Package Name (NTLM only): -
5991. Key Length: 0
5992.  
5993. This event is generated when a logon session is created. It is generated on the computer that was accessed.
5994.  
5995. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
5996.  
5997. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
5998.  
5999. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6000.  
6001. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6002.  
6003. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6004.  
6005. The authentication information fields provide detailed information about this specific logon request.
6006. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6007. - Transited services indicate which intermediate services have participated in this logon request.
6008. - Package name indicates which sub-protocol was used among the NTLM protocols.
6009. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6010. Audit Success 5/2/2017 6:14:59 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6011.  
6012. Subject:
6013. Security ID: SYSTEM
6014. Account Name: SYSTEM
6015. Account Domain: NT AUTHORITY
6016. Logon ID: 0x3E7
6017.  
6018. Privileges: SeAssignPrimaryTokenPrivilege
6019. SeTcbPrivilege
6020. SeSecurityPrivilege
6021. SeTakeOwnershipPrivilege
6022. SeLoadDriverPrivilege
6023. SeBackupPrivilege
6024. SeRestorePrivilege
6025. SeDebugPrivilege
6026. SeAuditPrivilege
6027. SeSystemEnvironmentPrivilege
6028. SeImpersonatePrivilege
6029. SeDelegateSessionUserImpersonatePrivilege"
6030. Audit Success 5/2/2017 6:14:59 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6031.  
6032. Subject:
6033. Security ID: SYSTEM
6034. Account Name: DESKTOP-TM5QNT2$
6035. Account Domain: WORKGROUP
6036. Logon ID: 0x3E7
6037.  
6038. Logon Information:
6039. Logon Type: 5
6040. Restricted Admin Mode: -
6041. Virtual Account: No
6042. Elevated Token: Yes
6043.  
6044. Impersonation Level: Impersonation
6045.  
6046. New Logon:
6047. Security ID: SYSTEM
6048. Account Name: SYSTEM
6049. Account Domain: NT AUTHORITY
6050. Logon ID: 0x3E7
6051. Linked Logon ID: 0x0
6052. Network Account Name: -
6053. Network Account Domain: -
6054. Logon GUID: {00000000-0000-0000-0000-000000000000}
6055.  
6056. Process Information:
6057. Process ID: 0x2f0
6058. Process Name: C:\Windows\System32\services.exe
6059.  
6060. Network Information:
6061. Workstation Name: -
6062. Source Network Address: -
6063. Source Port: -
6064.  
6065. Detailed Authentication Information:
6066. Logon Process: Advapi
6067. Authentication Package: Negotiate
6068. Transited Services: -
6069. Package Name (NTLM only): -
6070. Key Length: 0
6071.  
6072. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6073.  
6074. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6075.  
6076. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6077.  
6078. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6079.  
6080. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6081.  
6082. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6083.  
6084. The authentication information fields provide detailed information about this specific logon request.
6085. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6086. - Transited services indicate which intermediate services have participated in this logon request.
6087. - Package name indicates which sub-protocol was used among the NTLM protocols.
6088. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6089. Audit Success 5/2/2017 6:08:55 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6090.  
6091. Subject:
6092. Security ID: SYSTEM
6093. Account Name: SYSTEM
6094. Account Domain: NT AUTHORITY
6095. Logon ID: 0x3E7
6096.  
6097. Privileges: SeAssignPrimaryTokenPrivilege
6098. SeTcbPrivilege
6099. SeSecurityPrivilege
6100. SeTakeOwnershipPrivilege
6101. SeLoadDriverPrivilege
6102. SeBackupPrivilege
6103. SeRestorePrivilege
6104. SeDebugPrivilege
6105. SeAuditPrivilege
6106. SeSystemEnvironmentPrivilege
6107. SeImpersonatePrivilege
6108. SeDelegateSessionUserImpersonatePrivilege"
6109. Audit Success 5/2/2017 6:08:55 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6110.  
6111. Subject:
6112. Security ID: SYSTEM
6113. Account Name: DESKTOP-TM5QNT2$
6114. Account Domain: WORKGROUP
6115. Logon ID: 0x3E7
6116.  
6117. Logon Information:
6118. Logon Type: 5
6119. Restricted Admin Mode: -
6120. Virtual Account: No
6121. Elevated Token: Yes
6122.  
6123. Impersonation Level: Impersonation
6124.  
6125. New Logon:
6126. Security ID: SYSTEM
6127. Account Name: SYSTEM
6128. Account Domain: NT AUTHORITY
6129. Logon ID: 0x3E7
6130. Linked Logon ID: 0x0
6131. Network Account Name: -
6132. Network Account Domain: -
6133. Logon GUID: {00000000-0000-0000-0000-000000000000}
6134.  
6135. Process Information:
6136. Process ID: 0x2f0
6137. Process Name: C:\Windows\System32\services.exe
6138.  
6139. Network Information:
6140. Workstation Name: -
6141. Source Network Address: -
6142. Source Port: -
6143.  
6144. Detailed Authentication Information:
6145. Logon Process: Advapi
6146. Authentication Package: Negotiate
6147. Transited Services: -
6148. Package Name (NTLM only): -
6149. Key Length: 0
6150.  
6151. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6152.  
6153. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6154.  
6155. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6156.  
6157. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6158.  
6159. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6160.  
6161. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6162.  
6163. The authentication information fields provide detailed information about this specific logon request.
6164. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6165. - Transited services indicate which intermediate services have participated in this logon request.
6166. - Package name indicates which sub-protocol was used among the NTLM protocols.
6167. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6168. Audit Success 5/2/2017 6:00:38 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
6169.  
6170. Subject:
6171. Security ID: DESKTOP-TM5QNT2\Jai
6172. Account Name: Jai
6173. Account Domain: DESKTOP-TM5QNT2
6174. Logon ID: 0x44375
6175.  
6176. User:
6177. Security ID: DESKTOP-TM5QNT2\Jai
6178. Account Name: Jai
6179. Account Domain: DESKTOP-TM5QNT2
6180.  
6181. Process Information:
6182. Process ID: 0x15e4
6183. Process Name: C:\Windows\explorer.exe"
6184. Audit Success 5/2/2017 5:18:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6185.  
6186. Subject:
6187. Security ID: SYSTEM
6188. Account Name: SYSTEM
6189. Account Domain: NT AUTHORITY
6190. Logon ID: 0x3E7
6191.  
6192. Privileges: SeAssignPrimaryTokenPrivilege
6193. SeTcbPrivilege
6194. SeSecurityPrivilege
6195. SeTakeOwnershipPrivilege
6196. SeLoadDriverPrivilege
6197. SeBackupPrivilege
6198. SeRestorePrivilege
6199. SeDebugPrivilege
6200. SeAuditPrivilege
6201. SeSystemEnvironmentPrivilege
6202. SeImpersonatePrivilege
6203. SeDelegateSessionUserImpersonatePrivilege"
6204. Audit Success 5/2/2017 5:18:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6205.  
6206. Subject:
6207. Security ID: SYSTEM
6208. Account Name: DESKTOP-TM5QNT2$
6209. Account Domain: WORKGROUP
6210. Logon ID: 0x3E7
6211.  
6212. Logon Information:
6213. Logon Type: 5
6214. Restricted Admin Mode: -
6215. Virtual Account: No
6216. Elevated Token: Yes
6217.  
6218. Impersonation Level: Impersonation
6219.  
6220. New Logon:
6221. Security ID: SYSTEM
6222. Account Name: SYSTEM
6223. Account Domain: NT AUTHORITY
6224. Logon ID: 0x3E7
6225. Linked Logon ID: 0x0
6226. Network Account Name: -
6227. Network Account Domain: -
6228. Logon GUID: {00000000-0000-0000-0000-000000000000}
6229.  
6230. Process Information:
6231. Process ID: 0x2f0
6232. Process Name: C:\Windows\System32\services.exe
6233.  
6234. Network Information:
6235. Workstation Name: -
6236. Source Network Address: -
6237. Source Port: -
6238.  
6239. Detailed Authentication Information:
6240. Logon Process: Advapi
6241. Authentication Package: Negotiate
6242. Transited Services: -
6243. Package Name (NTLM only): -
6244. Key Length: 0
6245.  
6246. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6247.  
6248. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6249.  
6250. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6251.  
6252. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6253.  
6254. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6255.  
6256. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6257.  
6258. The authentication information fields provide detailed information about this specific logon request.
6259. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6260. - Transited services indicate which intermediate services have participated in this logon request.
6261. - Package name indicates which sub-protocol was used among the NTLM protocols.
6262. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6263. Audit Success 5/2/2017 4:52:38 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6264.  
6265. Subject:
6266. Security ID: SYSTEM
6267. Account Name: SYSTEM
6268. Account Domain: NT AUTHORITY
6269. Logon ID: 0x3E7
6270.  
6271. Privileges: SeAssignPrimaryTokenPrivilege
6272. SeTcbPrivilege
6273. SeSecurityPrivilege
6274. SeTakeOwnershipPrivilege
6275. SeLoadDriverPrivilege
6276. SeBackupPrivilege
6277. SeRestorePrivilege
6278. SeDebugPrivilege
6279. SeAuditPrivilege
6280. SeSystemEnvironmentPrivilege
6281. SeImpersonatePrivilege
6282. SeDelegateSessionUserImpersonatePrivilege"
6283. Audit Success 5/2/2017 4:52:38 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6284.  
6285. Subject:
6286. Security ID: SYSTEM
6287. Account Name: DESKTOP-TM5QNT2$
6288. Account Domain: WORKGROUP
6289. Logon ID: 0x3E7
6290.  
6291. Logon Information:
6292. Logon Type: 5
6293. Restricted Admin Mode: -
6294. Virtual Account: No
6295. Elevated Token: Yes
6296.  
6297. Impersonation Level: Impersonation
6298.  
6299. New Logon:
6300. Security ID: SYSTEM
6301. Account Name: SYSTEM
6302. Account Domain: NT AUTHORITY
6303. Logon ID: 0x3E7
6304. Linked Logon ID: 0x0
6305. Network Account Name: -
6306. Network Account Domain: -
6307. Logon GUID: {00000000-0000-0000-0000-000000000000}
6308.  
6309. Process Information:
6310. Process ID: 0x2f0
6311. Process Name: C:\Windows\System32\services.exe
6312.  
6313. Network Information:
6314. Workstation Name: -
6315. Source Network Address: -
6316. Source Port: -
6317.  
6318. Detailed Authentication Information:
6319. Logon Process: Advapi
6320. Authentication Package: Negotiate
6321. Transited Services: -
6322. Package Name (NTLM only): -
6323. Key Length: 0
6324.  
6325. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6326.  
6327. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6328.  
6329. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6330.  
6331. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6332.  
6333. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6334.  
6335. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6336.  
6337. The authentication information fields provide detailed information about this specific logon request.
6338. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6339. - Transited services indicate which intermediate services have participated in this logon request.
6340. - Package name indicates which sub-protocol was used among the NTLM protocols.
6341. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6342. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6343.  
6344. Subject:
6345. Security ID: SYSTEM
6346. Account Name: DESKTOP-TM5QNT2$
6347. Account Domain: WORKGROUP
6348. Logon ID: 0x3E7
6349.  
6350. Group:
6351. Security ID: BUILTIN\Administrators
6352. Group Name: Administrators
6353. Group Domain: Builtin
6354.  
6355. Process Information:
6356. Process ID: 0x39f0
6357. Process Name: C:\Windows\System32\VSSVC.exe"
6358. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6359.  
6360. Subject:
6361. Security ID: SYSTEM
6362. Account Name: DESKTOP-TM5QNT2$
6363. Account Domain: WORKGROUP
6364. Logon ID: 0x3E7
6365.  
6366. Group:
6367. Security ID: BUILTIN\Administrators
6368. Group Name: Administrators
6369. Group Domain: Builtin
6370.  
6371. Process Information:
6372. Process ID: 0x39f0
6373. Process Name: C:\Windows\System32\VSSVC.exe"
6374. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6375.  
6376. Subject:
6377. Security ID: SYSTEM
6378. Account Name: DESKTOP-TM5QNT2$
6379. Account Domain: WORKGROUP
6380. Logon ID: 0x3E7
6381.  
6382. Group:
6383. Security ID: BUILTIN\Administrators
6384. Group Name: Administrators
6385. Group Domain: Builtin
6386.  
6387. Process Information:
6388. Process ID: 0x39f0
6389. Process Name: C:\Windows\System32\VSSVC.exe"
6390. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6391.  
6392. Subject:
6393. Security ID: SYSTEM
6394. Account Name: DESKTOP-TM5QNT2$
6395. Account Domain: WORKGROUP
6396. Logon ID: 0x3E7
6397.  
6398. Group:
6399. Security ID: BUILTIN\Administrators
6400. Group Name: Administrators
6401. Group Domain: Builtin
6402.  
6403. Process Information:
6404. Process ID: 0x39f0
6405. Process Name: C:\Windows\System32\VSSVC.exe"
6406. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6407.  
6408. Subject:
6409. Security ID: SYSTEM
6410. Account Name: SYSTEM
6411. Account Domain: NT AUTHORITY
6412. Logon ID: 0x3E7
6413.  
6414. Privileges: SeAssignPrimaryTokenPrivilege
6415. SeTcbPrivilege
6416. SeSecurityPrivilege
6417. SeTakeOwnershipPrivilege
6418. SeLoadDriverPrivilege
6419. SeBackupPrivilege
6420. SeRestorePrivilege
6421. SeDebugPrivilege
6422. SeAuditPrivilege
6423. SeSystemEnvironmentPrivilege
6424. SeImpersonatePrivilege
6425. SeDelegateSessionUserImpersonatePrivilege"
6426. Audit Success 5/2/2017 4:52:32 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6427.  
6428. Subject:
6429. Security ID: SYSTEM
6430. Account Name: DESKTOP-TM5QNT2$
6431. Account Domain: WORKGROUP
6432. Logon ID: 0x3E7
6433.  
6434. Logon Information:
6435. Logon Type: 5
6436. Restricted Admin Mode: -
6437. Virtual Account: No
6438. Elevated Token: Yes
6439.  
6440. Impersonation Level: Impersonation
6441.  
6442. New Logon:
6443. Security ID: SYSTEM
6444. Account Name: SYSTEM
6445. Account Domain: NT AUTHORITY
6446. Logon ID: 0x3E7
6447. Linked Logon ID: 0x0
6448. Network Account Name: -
6449. Network Account Domain: -
6450. Logon GUID: {00000000-0000-0000-0000-000000000000}
6451.  
6452. Process Information:
6453. Process ID: 0x2f0
6454. Process Name: C:\Windows\System32\services.exe
6455.  
6456. Network Information:
6457. Workstation Name: -
6458. Source Network Address: -
6459. Source Port: -
6460.  
6461. Detailed Authentication Information:
6462. Logon Process: Advapi
6463. Authentication Package: Negotiate
6464. Transited Services: -
6465. Package Name (NTLM only): -
6466. Key Length: 0
6467.  
6468. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6469.  
6470. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6471.  
6472. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6473.  
6474. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6475.  
6476. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6477.  
6478. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6479.  
6480. The authentication information fields provide detailed information about this specific logon request.
6481. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6482. - Transited services indicate which intermediate services have participated in this logon request.
6483. - Package name indicates which sub-protocol was used among the NTLM protocols.
6484. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6485. Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
6486.  
6487. Subject:
6488. Security ID: LOCAL SERVICE
6489. Account Name: LOCAL SERVICE
6490. Account Domain: NT AUTHORITY
6491. Logon ID: 0x3E5
6492.  
6493. Process Information:
6494. Process ID: 0x3674
6495. Name: C:\Windows\System32\svchost.exe
6496.  
6497. Previous Time: ‎2017‎-‎05‎-‎02T23:49:16.477967100Z
6498. New Time: ‎2017‎-‎05‎-‎02T23:49:16.477000000Z
6499.  
6500. This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
6501. Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
6502.  
6503. Subject:
6504. Security ID: LOCAL SERVICE
6505. Account Name: LOCAL SERVICE
6506. Account Domain: NT AUTHORITY
6507. Logon ID: 0x3E5
6508.  
6509. Process Information:
6510. Process ID: 0x3674
6511. Name: C:\Windows\System32\svchost.exe
6512.  
6513. Previous Time: ‎2017‎-‎05‎-‎02T23:49:16.479116700Z
6514. New Time: ‎2017‎-‎05‎-‎02T23:49:16.478000000Z
6515.  
6516. This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
6517. Audit Success 5/2/2017 4:49:16 PM Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
6518.  
6519. Subject:
6520. Security ID: LOCAL SERVICE
6521. Account Name: LOCAL SERVICE
6522. Account Domain: NT AUTHORITY
6523. Logon ID: 0x3E5
6524.  
6525. Process Information:
6526. Process ID: 0x3674
6527. Name: C:\Windows\System32\svchost.exe
6528.  
6529. Previous Time: ‎2017‎-‎05‎-‎02T23:49:14.390205300Z
6530. New Time: ‎2017‎-‎05‎-‎02T23:49:16.478785800Z
6531.  
6532. This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
6533. Audit Success 5/2/2017 4:49:07 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6534.  
6535. Subject:
6536. Security ID: SYSTEM
6537. Account Name: SYSTEM
6538. Account Domain: NT AUTHORITY
6539. Logon ID: 0x3E7
6540.  
6541. Privileges: SeAssignPrimaryTokenPrivilege
6542. SeTcbPrivilege
6543. SeSecurityPrivilege
6544. SeTakeOwnershipPrivilege
6545. SeLoadDriverPrivilege
6546. SeBackupPrivilege
6547. SeRestorePrivilege
6548. SeDebugPrivilege
6549. SeAuditPrivilege
6550. SeSystemEnvironmentPrivilege
6551. SeImpersonatePrivilege
6552. SeDelegateSessionUserImpersonatePrivilege"
6553. Audit Success 5/2/2017 4:49:07 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6554.  
6555. Subject:
6556. Security ID: SYSTEM
6557. Account Name: DESKTOP-TM5QNT2$
6558. Account Domain: WORKGROUP
6559. Logon ID: 0x3E7
6560.  
6561. Logon Information:
6562. Logon Type: 5
6563. Restricted Admin Mode: -
6564. Virtual Account: No
6565. Elevated Token: Yes
6566.  
6567. Impersonation Level: Impersonation
6568.  
6569. New Logon:
6570. Security ID: SYSTEM
6571. Account Name: SYSTEM
6572. Account Domain: NT AUTHORITY
6573. Logon ID: 0x3E7
6574. Linked Logon ID: 0x0
6575. Network Account Name: -
6576. Network Account Domain: -
6577. Logon GUID: {00000000-0000-0000-0000-000000000000}
6578.  
6579. Process Information:
6580. Process ID: 0x2f0
6581. Process Name: C:\Windows\System32\services.exe
6582.  
6583. Network Information:
6584. Workstation Name: -
6585. Source Network Address: -
6586. Source Port: -
6587.  
6588. Detailed Authentication Information:
6589. Logon Process: Advapi
6590. Authentication Package: Negotiate
6591. Transited Services: -
6592. Package Name (NTLM only): -
6593. Key Length: 0
6594.  
6595. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6596.  
6597. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6598.  
6599. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6600.  
6601. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6602.  
6603. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6604.  
6605. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6606.  
6607. The authentication information fields provide detailed information about this specific logon request.
6608. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6609. - Transited services indicate which intermediate services have participated in this logon request.
6610. - Package name indicates which sub-protocol was used among the NTLM protocols.
6611. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6612. Audit Success 5/2/2017 4:48:59 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6613.  
6614. Subject:
6615. Security ID: SYSTEM
6616. Account Name: SYSTEM
6617. Account Domain: NT AUTHORITY
6618. Logon ID: 0x3E7
6619.  
6620. Privileges: SeAssignPrimaryTokenPrivilege
6621. SeTcbPrivilege
6622. SeSecurityPrivilege
6623. SeTakeOwnershipPrivilege
6624. SeLoadDriverPrivilege
6625. SeBackupPrivilege
6626. SeRestorePrivilege
6627. SeDebugPrivilege
6628. SeAuditPrivilege
6629. SeSystemEnvironmentPrivilege
6630. SeImpersonatePrivilege
6631. SeDelegateSessionUserImpersonatePrivilege"
6632. Audit Success 5/2/2017 4:48:59 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6633.  
6634. Subject:
6635. Security ID: SYSTEM
6636. Account Name: DESKTOP-TM5QNT2$
6637. Account Domain: WORKGROUP
6638. Logon ID: 0x3E7
6639.  
6640. Logon Information:
6641. Logon Type: 5
6642. Restricted Admin Mode: -
6643. Virtual Account: No
6644. Elevated Token: Yes
6645.  
6646. Impersonation Level: Impersonation
6647.  
6648. New Logon:
6649. Security ID: SYSTEM
6650. Account Name: SYSTEM
6651. Account Domain: NT AUTHORITY
6652. Logon ID: 0x3E7
6653. Linked Logon ID: 0x0
6654. Network Account Name: -
6655. Network Account Domain: -
6656. Logon GUID: {00000000-0000-0000-0000-000000000000}
6657.  
6658. Process Information:
6659. Process ID: 0x2f0
6660. Process Name: C:\Windows\System32\services.exe
6661.  
6662. Network Information:
6663. Workstation Name: -
6664. Source Network Address: -
6665. Source Port: -
6666.  
6667. Detailed Authentication Information:
6668. Logon Process: Advapi
6669. Authentication Package: Negotiate
6670. Transited Services: -
6671. Package Name (NTLM only): -
6672. Key Length: 0
6673.  
6674. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6675.  
6676. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6677.  
6678. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6679.  
6680. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6681.  
6682. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6683.  
6684. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6685.  
6686. The authentication information fields provide detailed information about this specific logon request.
6687. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6688. - Transited services indicate which intermediate services have participated in this logon request.
6689. - Package name indicates which sub-protocol was used among the NTLM protocols.
6690. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6691. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6692.  
6693. Subject:
6694. Security ID: SYSTEM
6695. Account Name: SYSTEM
6696. Account Domain: NT AUTHORITY
6697. Logon ID: 0x3E7
6698.  
6699. Privileges: SeAssignPrimaryTokenPrivilege
6700. SeTcbPrivilege
6701. SeSecurityPrivilege
6702. SeTakeOwnershipPrivilege
6703. SeLoadDriverPrivilege
6704. SeBackupPrivilege
6705. SeRestorePrivilege
6706. SeDebugPrivilege
6707. SeAuditPrivilege
6708. SeSystemEnvironmentPrivilege
6709. SeImpersonatePrivilege
6710. SeDelegateSessionUserImpersonatePrivilege"
6711. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6712.  
6713. Subject:
6714. Security ID: SYSTEM
6715. Account Name: DESKTOP-TM5QNT2$
6716. Account Domain: WORKGROUP
6717. Logon ID: 0x3E7
6718.  
6719. Logon Information:
6720. Logon Type: 5
6721. Restricted Admin Mode: -
6722. Virtual Account: No
6723. Elevated Token: Yes
6724.  
6725. Impersonation Level: Impersonation
6726.  
6727. New Logon:
6728. Security ID: SYSTEM
6729. Account Name: SYSTEM
6730. Account Domain: NT AUTHORITY
6731. Logon ID: 0x3E7
6732. Linked Logon ID: 0x0
6733. Network Account Name: -
6734. Network Account Domain: -
6735. Logon GUID: {00000000-0000-0000-0000-000000000000}
6736.  
6737. Process Information:
6738. Process ID: 0x2f0
6739. Process Name: C:\Windows\System32\services.exe
6740.  
6741. Network Information:
6742. Workstation Name: -
6743. Source Network Address: -
6744. Source Port: -
6745.  
6746. Detailed Authentication Information:
6747. Logon Process: Advapi
6748. Authentication Package: Negotiate
6749. Transited Services: -
6750. Package Name (NTLM only): -
6751. Key Length: 0
6752.  
6753. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6754.  
6755. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6756.  
6757. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6758.  
6759. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6760.  
6761. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6762.  
6763. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6764.  
6765. The authentication information fields provide detailed information about this specific logon request.
6766. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6767. - Transited services indicate which intermediate services have participated in this logon request.
6768. - Package name indicates which sub-protocol was used among the NTLM protocols.
6769. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6770. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6771.  
6772. Subject:
6773. Security ID: SYSTEM
6774. Account Name: DESKTOP-TM5QNT2$
6775. Account Domain: WORKGROUP
6776. Logon ID: 0x3E7
6777.  
6778. Group:
6779. Security ID: BUILTIN\Administrators
6780. Group Name: Administrators
6781. Group Domain: Builtin
6782.  
6783. Process Information:
6784. Process ID: 0x222c
6785. Process Name: C:\Windows\System32\VSSVC.exe"
6786. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6787.  
6788. Subject:
6789. Security ID: SYSTEM
6790. Account Name: DESKTOP-TM5QNT2$
6791. Account Domain: WORKGROUP
6792. Logon ID: 0x3E7
6793.  
6794. Group:
6795. Security ID: BUILTIN\Administrators
6796. Group Name: Administrators
6797. Group Domain: Builtin
6798.  
6799. Process Information:
6800. Process ID: 0x222c
6801. Process Name: C:\Windows\System32\VSSVC.exe"
6802. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6803.  
6804. Subject:
6805. Security ID: SYSTEM
6806. Account Name: DESKTOP-TM5QNT2$
6807. Account Domain: WORKGROUP
6808. Logon ID: 0x3E7
6809.  
6810. Group:
6811. Security ID: BUILTIN\Administrators
6812. Group Name: Administrators
6813. Group Domain: Builtin
6814.  
6815. Process Information:
6816. Process ID: 0x222c
6817. Process Name: C:\Windows\System32\VSSVC.exe"
6818. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6819.  
6820. Subject:
6821. Security ID: SYSTEM
6822. Account Name: SYSTEM
6823. Account Domain: NT AUTHORITY
6824. Logon ID: 0x3E7
6825.  
6826. Privileges: SeAssignPrimaryTokenPrivilege
6827. SeTcbPrivilege
6828. SeSecurityPrivilege
6829. SeTakeOwnershipPrivilege
6830. SeLoadDriverPrivilege
6831. SeBackupPrivilege
6832. SeRestorePrivilege
6833. SeDebugPrivilege
6834. SeAuditPrivilege
6835. SeSystemEnvironmentPrivilege
6836. SeImpersonatePrivilege
6837. SeDelegateSessionUserImpersonatePrivilege"
6838. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6839.  
6840. Subject:
6841. Security ID: SYSTEM
6842. Account Name: DESKTOP-TM5QNT2$
6843. Account Domain: WORKGROUP
6844. Logon ID: 0x3E7
6845.  
6846. Logon Information:
6847. Logon Type: 5
6848. Restricted Admin Mode: -
6849. Virtual Account: No
6850. Elevated Token: Yes
6851.  
6852. Impersonation Level: Impersonation
6853.  
6854. New Logon:
6855. Security ID: SYSTEM
6856. Account Name: SYSTEM
6857. Account Domain: NT AUTHORITY
6858. Logon ID: 0x3E7
6859. Linked Logon ID: 0x0
6860. Network Account Name: -
6861. Network Account Domain: -
6862. Logon GUID: {00000000-0000-0000-0000-000000000000}
6863.  
6864. Process Information:
6865. Process ID: 0x2f0
6866. Process Name: C:\Windows\System32\services.exe
6867.  
6868. Network Information:
6869. Workstation Name: -
6870. Source Network Address: -
6871. Source Port: -
6872.  
6873. Detailed Authentication Information:
6874. Logon Process: Advapi
6875. Authentication Package: Negotiate
6876. Transited Services: -
6877. Package Name (NTLM only): -
6878. Key Length: 0
6879.  
6880. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6881.  
6882. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6883.  
6884. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6885.  
6886. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6887.  
6888. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6889.  
6890. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6891.  
6892. The authentication information fields provide detailed information about this specific logon request.
6893. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6894. - Transited services indicate which intermediate services have participated in this logon request.
6895. - Package name indicates which sub-protocol was used among the NTLM protocols.
6896. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6897. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
6898.  
6899. Subject:
6900. Security ID: SYSTEM
6901. Account Name: DESKTOP-TM5QNT2$
6902. Account Domain: WORKGROUP
6903. Logon ID: 0x3E7
6904.  
6905. Group:
6906. Security ID: BUILTIN\Administrators
6907. Group Name: Administrators
6908. Group Domain: Builtin
6909.  
6910. Process Information:
6911. Process ID: 0x222c
6912. Process Name: C:\Windows\System32\VSSVC.exe"
6913. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6914.  
6915. Subject:
6916. Security ID: SYSTEM
6917. Account Name: SYSTEM
6918. Account Domain: NT AUTHORITY
6919. Logon ID: 0x3E7
6920.  
6921. Privileges: SeAssignPrimaryTokenPrivilege
6922. SeTcbPrivilege
6923. SeSecurityPrivilege
6924. SeTakeOwnershipPrivilege
6925. SeLoadDriverPrivilege
6926. SeBackupPrivilege
6927. SeRestorePrivilege
6928. SeDebugPrivilege
6929. SeAuditPrivilege
6930. SeSystemEnvironmentPrivilege
6931. SeImpersonatePrivilege
6932. SeDelegateSessionUserImpersonatePrivilege"
6933. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
6934.  
6935. Subject:
6936. Security ID: SYSTEM
6937. Account Name: DESKTOP-TM5QNT2$
6938. Account Domain: WORKGROUP
6939. Logon ID: 0x3E7
6940.  
6941. Logon Information:
6942. Logon Type: 5
6943. Restricted Admin Mode: -
6944. Virtual Account: No
6945. Elevated Token: Yes
6946.  
6947. Impersonation Level: Impersonation
6948.  
6949. New Logon:
6950. Security ID: SYSTEM
6951. Account Name: SYSTEM
6952. Account Domain: NT AUTHORITY
6953. Logon ID: 0x3E7
6954. Linked Logon ID: 0x0
6955. Network Account Name: -
6956. Network Account Domain: -
6957. Logon GUID: {00000000-0000-0000-0000-000000000000}
6958.  
6959. Process Information:
6960. Process ID: 0x2f0
6961. Process Name: C:\Windows\System32\services.exe
6962.  
6963. Network Information:
6964. Workstation Name: -
6965. Source Network Address: -
6966. Source Port: -
6967.  
6968. Detailed Authentication Information:
6969. Logon Process: Advapi
6970. Authentication Package: Negotiate
6971. Transited Services: -
6972. Package Name (NTLM only): -
6973. Key Length: 0
6974.  
6975. This event is generated when a logon session is created. It is generated on the computer that was accessed.
6976.  
6977. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
6978.  
6979. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
6980.  
6981. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
6982.  
6983. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
6984.  
6985. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
6986.  
6987. The authentication information fields provide detailed information about this specific logon request.
6988. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
6989. - Transited services indicate which intermediate services have participated in this logon request.
6990. - Package name indicates which sub-protocol was used among the NTLM protocols.
6991. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
6992. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
6993.  
6994. Subject:
6995. Security ID: SYSTEM
6996. Account Name: SYSTEM
6997. Account Domain: NT AUTHORITY
6998. Logon ID: 0x3E7
6999.  
7000. Privileges: SeAssignPrimaryTokenPrivilege
7001. SeTcbPrivilege
7002. SeSecurityPrivilege
7003. SeTakeOwnershipPrivilege
7004. SeLoadDriverPrivilege
7005. SeBackupPrivilege
7006. SeRestorePrivilege
7007. SeDebugPrivilege
7008. SeAuditPrivilege
7009. SeSystemEnvironmentPrivilege
7010. SeImpersonatePrivilege
7011. SeDelegateSessionUserImpersonatePrivilege"
7012. Audit Success 5/2/2017 4:48:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7013.  
7014. Subject:
7015. Security ID: SYSTEM
7016. Account Name: DESKTOP-TM5QNT2$
7017. Account Domain: WORKGROUP
7018. Logon ID: 0x3E7
7019.  
7020. Logon Information:
7021. Logon Type: 5
7022. Restricted Admin Mode: -
7023. Virtual Account: No
7024. Elevated Token: Yes
7025.  
7026. Impersonation Level: Impersonation
7027.  
7028. New Logon:
7029. Security ID: SYSTEM
7030. Account Name: SYSTEM
7031. Account Domain: NT AUTHORITY
7032. Logon ID: 0x3E7
7033. Linked Logon ID: 0x0
7034. Network Account Name: -
7035. Network Account Domain: -
7036. Logon GUID: {00000000-0000-0000-0000-000000000000}
7037.  
7038. Process Information:
7039. Process ID: 0x2f0
7040. Process Name: C:\Windows\System32\services.exe
7041.  
7042. Network Information:
7043. Workstation Name: -
7044. Source Network Address: -
7045. Source Port: -
7046.  
7047. Detailed Authentication Information:
7048. Logon Process: Advapi
7049. Authentication Package: Negotiate
7050. Transited Services: -
7051. Package Name (NTLM only): -
7052. Key Length: 0
7053.  
7054. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7055.  
7056. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7057.  
7058. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7059.  
7060. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7061.  
7062. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7063.  
7064. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7065.  
7066. The authentication information fields provide detailed information about this specific logon request.
7067. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7068. - Transited services indicate which intermediate services have participated in this logon request.
7069. - Package name indicates which sub-protocol was used among the NTLM protocols.
7070. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7071. Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7072.  
7073. Subject:
7074. Security ID: SYSTEM
7075. Account Name: SYSTEM
7076. Account Domain: NT AUTHORITY
7077. Logon ID: 0x3E7
7078.  
7079. Privileges: SeAssignPrimaryTokenPrivilege
7080. SeTcbPrivilege
7081. SeSecurityPrivilege
7082. SeTakeOwnershipPrivilege
7083. SeLoadDriverPrivilege
7084. SeBackupPrivilege
7085. SeRestorePrivilege
7086. SeDebugPrivilege
7087. SeAuditPrivilege
7088. SeSystemEnvironmentPrivilege
7089. SeImpersonatePrivilege
7090. SeDelegateSessionUserImpersonatePrivilege"
7091. Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7092.  
7093. Subject:
7094. Security ID: SYSTEM
7095. Account Name: DESKTOP-TM5QNT2$
7096. Account Domain: WORKGROUP
7097. Logon ID: 0x3E7
7098.  
7099. Logon Information:
7100. Logon Type: 5
7101. Restricted Admin Mode: -
7102. Virtual Account: No
7103. Elevated Token: Yes
7104.  
7105. Impersonation Level: Impersonation
7106.  
7107. New Logon:
7108. Security ID: SYSTEM
7109. Account Name: SYSTEM
7110. Account Domain: NT AUTHORITY
7111. Logon ID: 0x3E7
7112. Linked Logon ID: 0x0
7113. Network Account Name: -
7114. Network Account Domain: -
7115. Logon GUID: {00000000-0000-0000-0000-000000000000}
7116.  
7117. Process Information:
7118. Process ID: 0x2f0
7119. Process Name: C:\Windows\System32\services.exe
7120.  
7121. Network Information:
7122. Workstation Name: -
7123. Source Network Address: -
7124. Source Port: -
7125.  
7126. Detailed Authentication Information:
7127. Logon Process: Advapi
7128. Authentication Package: Negotiate
7129. Transited Services: -
7130. Package Name (NTLM only): -
7131. Key Length: 0
7132.  
7133. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7134.  
7135. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7136.  
7137. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7138.  
7139. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7140.  
7141. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7142.  
7143. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7144.  
7145. The authentication information fields provide detailed information about this specific logon request.
7146. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7147. - Transited services indicate which intermediate services have participated in this logon request.
7148. - Package name indicates which sub-protocol was used among the NTLM protocols.
7149. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7150. Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7151.  
7152. Subject:
7153. Security ID: SYSTEM
7154. Account Name: SYSTEM
7155. Account Domain: NT AUTHORITY
7156. Logon ID: 0x3E7
7157.  
7158. Privileges: SeAssignPrimaryTokenPrivilege
7159. SeTcbPrivilege
7160. SeSecurityPrivilege
7161. SeTakeOwnershipPrivilege
7162. SeLoadDriverPrivilege
7163. SeBackupPrivilege
7164. SeRestorePrivilege
7165. SeDebugPrivilege
7166. SeAuditPrivilege
7167. SeSystemEnvironmentPrivilege
7168. SeImpersonatePrivilege
7169. SeDelegateSessionUserImpersonatePrivilege"
7170. Audit Success 5/2/2017 4:48:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7171.  
7172. Subject:
7173. Security ID: SYSTEM
7174. Account Name: DESKTOP-TM5QNT2$
7175. Account Domain: WORKGROUP
7176. Logon ID: 0x3E7
7177.  
7178. Logon Information:
7179. Logon Type: 5
7180. Restricted Admin Mode: -
7181. Virtual Account: No
7182. Elevated Token: Yes
7183.  
7184. Impersonation Level: Impersonation
7185.  
7186. New Logon:
7187. Security ID: SYSTEM
7188. Account Name: SYSTEM
7189. Account Domain: NT AUTHORITY
7190. Logon ID: 0x3E7
7191. Linked Logon ID: 0x0
7192. Network Account Name: -
7193. Network Account Domain: -
7194. Logon GUID: {00000000-0000-0000-0000-000000000000}
7195.  
7196. Process Information:
7197. Process ID: 0x2f0
7198. Process Name: C:\Windows\System32\services.exe
7199.  
7200. Network Information:
7201. Workstation Name: -
7202. Source Network Address: -
7203. Source Port: -
7204.  
7205. Detailed Authentication Information:
7206. Logon Process: Advapi
7207. Authentication Package: Negotiate
7208. Transited Services: -
7209. Package Name (NTLM only): -
7210. Key Length: 0
7211.  
7212. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7213.  
7214. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7215.  
7216. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7217.  
7218. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7219.  
7220. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7221.  
7222. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7223.  
7224. The authentication information fields provide detailed information about this specific logon request.
7225. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7226. - Transited services indicate which intermediate services have participated in this logon request.
7227. - Package name indicates which sub-protocol was used among the NTLM protocols.
7228. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7229. Audit Success 5/2/2017 4:44:37 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
7230.  
7231. Subject:
7232. Security ID: DESKTOP-TM5QNT2\Jai
7233. Account Name: Jai
7234. Account Domain: DESKTOP-TM5QNT2
7235. Logon ID: 0x44375
7236.  
7237. User:
7238. Security ID: DESKTOP-TM5QNT2\Jai
7239. Account Name: Jai
7240. Account Domain: DESKTOP-TM5QNT2
7241.  
7242. Process Information:
7243. Process ID: 0x15e4
7244. Process Name: C:\Windows\explorer.exe"
7245. Audit Success 5/2/2017 4:43:09 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7246.  
7247. Subject:
7248. Security ID: SYSTEM
7249. Account Name: SYSTEM
7250. Account Domain: NT AUTHORITY
7251. Logon ID: 0x3E7
7252.  
7253. Privileges: SeAssignPrimaryTokenPrivilege
7254. SeTcbPrivilege
7255. SeSecurityPrivilege
7256. SeTakeOwnershipPrivilege
7257. SeLoadDriverPrivilege
7258. SeBackupPrivilege
7259. SeRestorePrivilege
7260. SeDebugPrivilege
7261. SeAuditPrivilege
7262. SeSystemEnvironmentPrivilege
7263. SeImpersonatePrivilege
7264. SeDelegateSessionUserImpersonatePrivilege"
7265. Audit Success 5/2/2017 4:43:09 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7266.  
7267. Subject:
7268. Security ID: SYSTEM
7269. Account Name: DESKTOP-TM5QNT2$
7270. Account Domain: WORKGROUP
7271. Logon ID: 0x3E7
7272.  
7273. Logon Information:
7274. Logon Type: 5
7275. Restricted Admin Mode: -
7276. Virtual Account: No
7277. Elevated Token: Yes
7278.  
7279. Impersonation Level: Impersonation
7280.  
7281. New Logon:
7282. Security ID: SYSTEM
7283. Account Name: SYSTEM
7284. Account Domain: NT AUTHORITY
7285. Logon ID: 0x3E7
7286. Linked Logon ID: 0x0
7287. Network Account Name: -
7288. Network Account Domain: -
7289. Logon GUID: {00000000-0000-0000-0000-000000000000}
7290.  
7291. Process Information:
7292. Process ID: 0x2f0
7293. Process Name: C:\Windows\System32\services.exe
7294.  
7295. Network Information:
7296. Workstation Name: -
7297. Source Network Address: -
7298. Source Port: -
7299.  
7300. Detailed Authentication Information:
7301. Logon Process: Advapi
7302. Authentication Package: Negotiate
7303. Transited Services: -
7304. Package Name (NTLM only): -
7305. Key Length: 0
7306.  
7307. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7308.  
7309. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7310.  
7311. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7312.  
7313. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7314.  
7315. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7316.  
7317. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7318.  
7319. The authentication information fields provide detailed information about this specific logon request.
7320. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7321. - Transited services indicate which intermediate services have participated in this logon request.
7322. - Package name indicates which sub-protocol was used among the NTLM protocols.
7323. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7324. Audit Success 5/2/2017 4:43:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7325.  
7326. Subject:
7327. Security ID: SYSTEM
7328. Account Name: SYSTEM
7329. Account Domain: NT AUTHORITY
7330. Logon ID: 0x3E7
7331.  
7332. Privileges: SeAssignPrimaryTokenPrivilege
7333. SeTcbPrivilege
7334. SeSecurityPrivilege
7335. SeTakeOwnershipPrivilege
7336. SeLoadDriverPrivilege
7337. SeBackupPrivilege
7338. SeRestorePrivilege
7339. SeDebugPrivilege
7340. SeAuditPrivilege
7341. SeSystemEnvironmentPrivilege
7342. SeImpersonatePrivilege
7343. SeDelegateSessionUserImpersonatePrivilege"
7344. Audit Success 5/2/2017 4:43:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7345.  
7346. Subject:
7347. Security ID: SYSTEM
7348. Account Name: DESKTOP-TM5QNT2$
7349. Account Domain: WORKGROUP
7350. Logon ID: 0x3E7
7351.  
7352. Logon Information:
7353. Logon Type: 5
7354. Restricted Admin Mode: -
7355. Virtual Account: No
7356. Elevated Token: Yes
7357.  
7358. Impersonation Level: Impersonation
7359.  
7360. New Logon:
7361. Security ID: SYSTEM
7362. Account Name: SYSTEM
7363. Account Domain: NT AUTHORITY
7364. Logon ID: 0x3E7
7365. Linked Logon ID: 0x0
7366. Network Account Name: -
7367. Network Account Domain: -
7368. Logon GUID: {00000000-0000-0000-0000-000000000000}
7369.  
7370. Process Information:
7371. Process ID: 0x2f0
7372. Process Name: C:\Windows\System32\services.exe
7373.  
7374. Network Information:
7375. Workstation Name: -
7376. Source Network Address: -
7377. Source Port: -
7378.  
7379. Detailed Authentication Information:
7380. Logon Process: Advapi
7381. Authentication Package: Negotiate
7382. Transited Services: -
7383. Package Name (NTLM only): -
7384. Key Length: 0
7385.  
7386. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7387.  
7388. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7389.  
7390. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7391.  
7392. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7393.  
7394. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7395.  
7396. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7397.  
7398. The authentication information fields provide detailed information about this specific logon request.
7399. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7400. - Transited services indicate which intermediate services have participated in this logon request.
7401. - Package name indicates which sub-protocol was used among the NTLM protocols.
7402. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7403. Audit Success 5/2/2017 4:42:57 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7404.  
7405. Subject:
7406. Security ID: SYSTEM
7407. Account Name: SYSTEM
7408. Account Domain: NT AUTHORITY
7409. Logon ID: 0x3E7
7410.  
7411. Privileges: SeAssignPrimaryTokenPrivilege
7412. SeTcbPrivilege
7413. SeSecurityPrivilege
7414. SeTakeOwnershipPrivilege
7415. SeLoadDriverPrivilege
7416. SeBackupPrivilege
7417. SeRestorePrivilege
7418. SeDebugPrivilege
7419. SeAuditPrivilege
7420. SeSystemEnvironmentPrivilege
7421. SeImpersonatePrivilege
7422. SeDelegateSessionUserImpersonatePrivilege"
7423. Audit Success 5/2/2017 4:42:57 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7424.  
7425. Subject:
7426. Security ID: SYSTEM
7427. Account Name: DESKTOP-TM5QNT2$
7428. Account Domain: WORKGROUP
7429. Logon ID: 0x3E7
7430.  
7431. Logon Information:
7432. Logon Type: 5
7433. Restricted Admin Mode: -
7434. Virtual Account: No
7435. Elevated Token: Yes
7436.  
7437. Impersonation Level: Impersonation
7438.  
7439. New Logon:
7440. Security ID: SYSTEM
7441. Account Name: SYSTEM
7442. Account Domain: NT AUTHORITY
7443. Logon ID: 0x3E7
7444. Linked Logon ID: 0x0
7445. Network Account Name: -
7446. Network Account Domain: -
7447. Logon GUID: {00000000-0000-0000-0000-000000000000}
7448.  
7449. Process Information:
7450. Process ID: 0x2f0
7451. Process Name: C:\Windows\System32\services.exe
7452.  
7453. Network Information:
7454. Workstation Name: -
7455. Source Network Address: -
7456. Source Port: -
7457.  
7458. Detailed Authentication Information:
7459. Logon Process: Advapi
7460. Authentication Package: Negotiate
7461. Transited Services: -
7462. Package Name (NTLM only): -
7463. Key Length: 0
7464.  
7465. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7466.  
7467. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7468.  
7469. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7470.  
7471. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7472.  
7473. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7474.  
7475. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7476.  
7477. The authentication information fields provide detailed information about this specific logon request.
7478. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7479. - Transited services indicate which intermediate services have participated in this logon request.
7480. - Package name indicates which sub-protocol was used among the NTLM protocols.
7481. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7482. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7483.  
7484. Subject:
7485. Security ID: SYSTEM
7486. Account Name: SYSTEM
7487. Account Domain: NT AUTHORITY
7488. Logon ID: 0x3E7
7489.  
7490. Privileges: SeAssignPrimaryTokenPrivilege
7491. SeTcbPrivilege
7492. SeSecurityPrivilege
7493. SeTakeOwnershipPrivilege
7494. SeLoadDriverPrivilege
7495. SeBackupPrivilege
7496. SeRestorePrivilege
7497. SeDebugPrivilege
7498. SeAuditPrivilege
7499. SeSystemEnvironmentPrivilege
7500. SeImpersonatePrivilege
7501. SeDelegateSessionUserImpersonatePrivilege"
7502. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7503.  
7504. Subject:
7505. Security ID: SYSTEM
7506. Account Name: DESKTOP-TM5QNT2$
7507. Account Domain: WORKGROUP
7508. Logon ID: 0x3E7
7509.  
7510. Logon Information:
7511. Logon Type: 5
7512. Restricted Admin Mode: -
7513. Virtual Account: No
7514. Elevated Token: Yes
7515.  
7516. Impersonation Level: Impersonation
7517.  
7518. New Logon:
7519. Security ID: SYSTEM
7520. Account Name: SYSTEM
7521. Account Domain: NT AUTHORITY
7522. Logon ID: 0x3E7
7523. Linked Logon ID: 0x0
7524. Network Account Name: -
7525. Network Account Domain: -
7526. Logon GUID: {00000000-0000-0000-0000-000000000000}
7527.  
7528. Process Information:
7529. Process ID: 0x2f0
7530. Process Name: C:\Windows\System32\services.exe
7531.  
7532. Network Information:
7533. Workstation Name: -
7534. Source Network Address: -
7535. Source Port: -
7536.  
7537. Detailed Authentication Information:
7538. Logon Process: Advapi
7539. Authentication Package: Negotiate
7540. Transited Services: -
7541. Package Name (NTLM only): -
7542. Key Length: 0
7543.  
7544. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7545.  
7546. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7547.  
7548. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7549.  
7550. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7551.  
7552. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7553.  
7554. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7555.  
7556. The authentication information fields provide detailed information about this specific logon request.
7557. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7558. - Transited services indicate which intermediate services have participated in this logon request.
7559. - Package name indicates which sub-protocol was used among the NTLM protocols.
7560. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7561. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7562.  
7563. Subject:
7564. Security ID: SYSTEM
7565. Account Name: SYSTEM
7566. Account Domain: NT AUTHORITY
7567. Logon ID: 0x3E7
7568.  
7569. Privileges: SeAssignPrimaryTokenPrivilege
7570. SeTcbPrivilege
7571. SeSecurityPrivilege
7572. SeTakeOwnershipPrivilege
7573. SeLoadDriverPrivilege
7574. SeBackupPrivilege
7575. SeRestorePrivilege
7576. SeDebugPrivilege
7577. SeAuditPrivilege
7578. SeSystemEnvironmentPrivilege
7579. SeImpersonatePrivilege
7580. SeDelegateSessionUserImpersonatePrivilege"
7581. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7582.  
7583. Subject:
7584. Security ID: SYSTEM
7585. Account Name: DESKTOP-TM5QNT2$
7586. Account Domain: WORKGROUP
7587. Logon ID: 0x3E7
7588.  
7589. Logon Information:
7590. Logon Type: 5
7591. Restricted Admin Mode: -
7592. Virtual Account: No
7593. Elevated Token: Yes
7594.  
7595. Impersonation Level: Impersonation
7596.  
7597. New Logon:
7598. Security ID: SYSTEM
7599. Account Name: SYSTEM
7600. Account Domain: NT AUTHORITY
7601. Logon ID: 0x3E7
7602. Linked Logon ID: 0x0
7603. Network Account Name: -
7604. Network Account Domain: -
7605. Logon GUID: {00000000-0000-0000-0000-000000000000}
7606.  
7607. Process Information:
7608. Process ID: 0x2f0
7609. Process Name: C:\Windows\System32\services.exe
7610.  
7611. Network Information:
7612. Workstation Name: -
7613. Source Network Address: -
7614. Source Port: -
7615.  
7616. Detailed Authentication Information:
7617. Logon Process: Advapi
7618. Authentication Package: Negotiate
7619. Transited Services: -
7620. Package Name (NTLM only): -
7621. Key Length: 0
7622.  
7623. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7624.  
7625. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7626.  
7627. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7628.  
7629. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7630.  
7631. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7632.  
7633. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7634.  
7635. The authentication information fields provide detailed information about this specific logon request.
7636. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7637. - Transited services indicate which intermediate services have participated in this logon request.
7638. - Package name indicates which sub-protocol was used among the NTLM protocols.
7639. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7640. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7641.  
7642. Subject:
7643. Security ID: SYSTEM
7644. Account Name: SYSTEM
7645. Account Domain: NT AUTHORITY
7646. Logon ID: 0x3E7
7647.  
7648. Privileges: SeAssignPrimaryTokenPrivilege
7649. SeTcbPrivilege
7650. SeSecurityPrivilege
7651. SeTakeOwnershipPrivilege
7652. SeLoadDriverPrivilege
7653. SeBackupPrivilege
7654. SeRestorePrivilege
7655. SeDebugPrivilege
7656. SeAuditPrivilege
7657. SeSystemEnvironmentPrivilege
7658. SeImpersonatePrivilege
7659. SeDelegateSessionUserImpersonatePrivilege"
7660. Audit Success 5/2/2017 4:42:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7661.  
7662. Subject:
7663. Security ID: SYSTEM
7664. Account Name: DESKTOP-TM5QNT2$
7665. Account Domain: WORKGROUP
7666. Logon ID: 0x3E7
7667.  
7668. Logon Information:
7669. Logon Type: 5
7670. Restricted Admin Mode: -
7671. Virtual Account: No
7672. Elevated Token: Yes
7673.  
7674. Impersonation Level: Impersonation
7675.  
7676. New Logon:
7677. Security ID: SYSTEM
7678. Account Name: SYSTEM
7679. Account Domain: NT AUTHORITY
7680. Logon ID: 0x3E7
7681. Linked Logon ID: 0x0
7682. Network Account Name: -
7683. Network Account Domain: -
7684. Logon GUID: {00000000-0000-0000-0000-000000000000}
7685.  
7686. Process Information:
7687. Process ID: 0x2f0
7688. Process Name: C:\Windows\System32\services.exe
7689.  
7690. Network Information:
7691. Workstation Name: -
7692. Source Network Address: -
7693. Source Port: -
7694.  
7695. Detailed Authentication Information:
7696. Logon Process: Advapi
7697. Authentication Package: Negotiate
7698. Transited Services: -
7699. Package Name (NTLM only): -
7700. Key Length: 0
7701.  
7702. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7703.  
7704. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7705.  
7706. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7707.  
7708. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7709.  
7710. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7711.  
7712. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7713.  
7714. The authentication information fields provide detailed information about this specific logon request.
7715. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7716. - Transited services indicate which intermediate services have participated in this logon request.
7717. - Package name indicates which sub-protocol was used among the NTLM protocols.
7718. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7719. Audit Success 5/2/2017 4:42:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7720.  
7721. Subject:
7722. Security ID: SYSTEM
7723. Account Name: SYSTEM
7724. Account Domain: NT AUTHORITY
7725. Logon ID: 0x3E7
7726.  
7727. Privileges: SeAssignPrimaryTokenPrivilege
7728. SeTcbPrivilege
7729. SeSecurityPrivilege
7730. SeTakeOwnershipPrivilege
7731. SeLoadDriverPrivilege
7732. SeBackupPrivilege
7733. SeRestorePrivilege
7734. SeDebugPrivilege
7735. SeAuditPrivilege
7736. SeSystemEnvironmentPrivilege
7737. SeImpersonatePrivilege
7738. SeDelegateSessionUserImpersonatePrivilege"
7739. Audit Success 5/2/2017 4:42:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7740.  
7741. Subject:
7742. Security ID: SYSTEM
7743. Account Name: DESKTOP-TM5QNT2$
7744. Account Domain: WORKGROUP
7745. Logon ID: 0x3E7
7746.  
7747. Logon Information:
7748. Logon Type: 5
7749. Restricted Admin Mode: -
7750. Virtual Account: No
7751. Elevated Token: Yes
7752.  
7753. Impersonation Level: Impersonation
7754.  
7755. New Logon:
7756. Security ID: SYSTEM
7757. Account Name: SYSTEM
7758. Account Domain: NT AUTHORITY
7759. Logon ID: 0x3E7
7760. Linked Logon ID: 0x0
7761. Network Account Name: -
7762. Network Account Domain: -
7763. Logon GUID: {00000000-0000-0000-0000-000000000000}
7764.  
7765. Process Information:
7766. Process ID: 0x2f0
7767. Process Name: C:\Windows\System32\services.exe
7768.  
7769. Network Information:
7770. Workstation Name: -
7771. Source Network Address: -
7772. Source Port: -
7773.  
7774. Detailed Authentication Information:
7775. Logon Process: Advapi
7776. Authentication Package: Negotiate
7777. Transited Services: -
7778. Package Name (NTLM only): -
7779. Key Length: 0
7780.  
7781. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7782.  
7783. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7784.  
7785. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7786.  
7787. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7788.  
7789. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7790.  
7791. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7792.  
7793. The authentication information fields provide detailed information about this specific logon request.
7794. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7795. - Transited services indicate which intermediate services have participated in this logon request.
7796. - Package name indicates which sub-protocol was used among the NTLM protocols.
7797. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7798. Audit Success 5/2/2017 4:42:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7799.  
7800. Subject:
7801. Security ID: SYSTEM
7802. Account Name: SYSTEM
7803. Account Domain: NT AUTHORITY
7804. Logon ID: 0x3E7
7805.  
7806. Privileges: SeAssignPrimaryTokenPrivilege
7807. SeTcbPrivilege
7808. SeSecurityPrivilege
7809. SeTakeOwnershipPrivilege
7810. SeLoadDriverPrivilege
7811. SeBackupPrivilege
7812. SeRestorePrivilege
7813. SeDebugPrivilege
7814. SeAuditPrivilege
7815. SeSystemEnvironmentPrivilege
7816. SeImpersonatePrivilege
7817. SeDelegateSessionUserImpersonatePrivilege"
7818. Audit Success 5/2/2017 4:42:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7819.  
7820. Subject:
7821. Security ID: SYSTEM
7822. Account Name: DESKTOP-TM5QNT2$
7823. Account Domain: WORKGROUP
7824. Logon ID: 0x3E7
7825.  
7826. Logon Information:
7827. Logon Type: 5
7828. Restricted Admin Mode: -
7829. Virtual Account: No
7830. Elevated Token: Yes
7831.  
7832. Impersonation Level: Impersonation
7833.  
7834. New Logon:
7835. Security ID: SYSTEM
7836. Account Name: SYSTEM
7837. Account Domain: NT AUTHORITY
7838. Logon ID: 0x3E7
7839. Linked Logon ID: 0x0
7840. Network Account Name: -
7841. Network Account Domain: -
7842. Logon GUID: {00000000-0000-0000-0000-000000000000}
7843.  
7844. Process Information:
7845. Process ID: 0x2f0
7846. Process Name: C:\Windows\System32\services.exe
7847.  
7848. Network Information:
7849. Workstation Name: -
7850. Source Network Address: -
7851. Source Port: -
7852.  
7853. Detailed Authentication Information:
7854. Logon Process: Advapi
7855. Authentication Package: Negotiate
7856. Transited Services: -
7857. Package Name (NTLM only): -
7858. Key Length: 0
7859.  
7860. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7861.  
7862. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7863.  
7864. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7865.  
7866. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7867.  
7868. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7869.  
7870. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7871.  
7872. The authentication information fields provide detailed information about this specific logon request.
7873. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7874. - Transited services indicate which intermediate services have participated in this logon request.
7875. - Package name indicates which sub-protocol was used among the NTLM protocols.
7876. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7877. Audit Success 5/2/2017 4:40:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7878.  
7879. Subject:
7880. Security ID: SYSTEM
7881. Account Name: SYSTEM
7882. Account Domain: NT AUTHORITY
7883. Logon ID: 0x3E7
7884.  
7885. Privileges: SeAssignPrimaryTokenPrivilege
7886. SeTcbPrivilege
7887. SeSecurityPrivilege
7888. SeTakeOwnershipPrivilege
7889. SeLoadDriverPrivilege
7890. SeBackupPrivilege
7891. SeRestorePrivilege
7892. SeDebugPrivilege
7893. SeAuditPrivilege
7894. SeSystemEnvironmentPrivilege
7895. SeImpersonatePrivilege
7896. SeDelegateSessionUserImpersonatePrivilege"
7897. Audit Success 5/2/2017 4:40:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7898.  
7899. Subject:
7900. Security ID: SYSTEM
7901. Account Name: DESKTOP-TM5QNT2$
7902. Account Domain: WORKGROUP
7903. Logon ID: 0x3E7
7904.  
7905. Logon Information:
7906. Logon Type: 5
7907. Restricted Admin Mode: -
7908. Virtual Account: No
7909. Elevated Token: Yes
7910.  
7911. Impersonation Level: Impersonation
7912.  
7913. New Logon:
7914. Security ID: SYSTEM
7915. Account Name: SYSTEM
7916. Account Domain: NT AUTHORITY
7917. Logon ID: 0x3E7
7918. Linked Logon ID: 0x0
7919. Network Account Name: -
7920. Network Account Domain: -
7921. Logon GUID: {00000000-0000-0000-0000-000000000000}
7922.  
7923. Process Information:
7924. Process ID: 0x2f0
7925. Process Name: C:\Windows\System32\services.exe
7926.  
7927. Network Information:
7928. Workstation Name: -
7929. Source Network Address: -
7930. Source Port: -
7931.  
7932. Detailed Authentication Information:
7933. Logon Process: Advapi
7934. Authentication Package: Negotiate
7935. Transited Services: -
7936. Package Name (NTLM only): -
7937. Key Length: 0
7938.  
7939. This event is generated when a logon session is created. It is generated on the computer that was accessed.
7940.  
7941. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
7942.  
7943. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
7944.  
7945. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
7946.  
7947. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
7948.  
7949. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
7950.  
7951. The authentication information fields provide detailed information about this specific logon request.
7952. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
7953. - Transited services indicate which intermediate services have participated in this logon request.
7954. - Package name indicates which sub-protocol was used among the NTLM protocols.
7955. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
7956. Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
7957.  
7958. Subject:
7959. Security ID: SYSTEM
7960. Account Name: SYSTEM
7961. Account Domain: NT AUTHORITY
7962. Logon ID: 0x3E7
7963.  
7964. Privileges: SeAssignPrimaryTokenPrivilege
7965. SeTcbPrivilege
7966. SeSecurityPrivilege
7967. SeTakeOwnershipPrivilege
7968. SeLoadDriverPrivilege
7969. SeBackupPrivilege
7970. SeRestorePrivilege
7971. SeDebugPrivilege
7972. SeAuditPrivilege
7973. SeSystemEnvironmentPrivilege
7974. SeImpersonatePrivilege
7975. SeDelegateSessionUserImpersonatePrivilege"
7976. Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
7977.  
7978. Subject:
7979. Security ID: SYSTEM
7980. Account Name: DESKTOP-TM5QNT2$
7981. Account Domain: WORKGROUP
7982. Logon ID: 0x3E7
7983.  
7984. Logon Information:
7985. Logon Type: 5
7986. Restricted Admin Mode: -
7987. Virtual Account: No
7988. Elevated Token: Yes
7989.  
7990. Impersonation Level: Impersonation
7991.  
7992. New Logon:
7993. Security ID: SYSTEM
7994. Account Name: SYSTEM
7995. Account Domain: NT AUTHORITY
7996. Logon ID: 0x3E7
7997. Linked Logon ID: 0x0
7998. Network Account Name: -
7999. Network Account Domain: -
8000. Logon GUID: {00000000-0000-0000-0000-000000000000}
8001.  
8002. Process Information:
8003. Process ID: 0x2f0
8004. Process Name: C:\Windows\System32\services.exe
8005.  
8006. Network Information:
8007. Workstation Name: -
8008. Source Network Address: -
8009. Source Port: -
8010.  
8011. Detailed Authentication Information:
8012. Logon Process: Advapi
8013. Authentication Package: Negotiate
8014. Transited Services: -
8015. Package Name (NTLM only): -
8016. Key Length: 0
8017.  
8018. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8019.  
8020. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8021.  
8022. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8023.  
8024. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8025.  
8026. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8027.  
8028. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8029.  
8030. The authentication information fields provide detailed information about this specific logon request.
8031. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8032. - Transited services indicate which intermediate services have participated in this logon request.
8033. - Package name indicates which sub-protocol was used among the NTLM protocols.
8034. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8035. Audit Success 5/2/2017 4:40:54 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
8036.  
8037. Subject:
8038. Security ID: DESKTOP-TM5QNT2\Jai
8039. Account Name: Jai
8040. Account Domain: DESKTOP-TM5QNT2
8041. Logon ID: 0x44375
8042.  
8043. User:
8044. Security ID: DESKTOP-TM5QNT2\Jai
8045. Account Name: Jai
8046. Account Domain: DESKTOP-TM5QNT2
8047.  
8048. Process Information:
8049. Process ID: 0x15e4
8050. Process Name: C:\Windows\explorer.exe"
8051. Audit Success 5/2/2017 4:40:53 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
8052.  
8053. Subject:
8054. Security ID: SYSTEM
8055. Account Name: DESKTOP-TM5QNT2$
8056. Account Domain: WORKGROUP
8057. Logon ID: 0x3E7
8058.  
8059. Group:
8060. Security ID: BUILTIN\Administrators
8061. Group Name: Administrators
8062. Group Domain: Builtin
8063.  
8064. Process Information:
8065. Process ID: 0x2da0
8066. Process Name: C:\Windows\System32\svchost.exe"
8067. Audit Success 5/2/2017 4:40:50 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8068.  
8069. Subject:
8070. Security ID: SYSTEM
8071. Account Name: SYSTEM
8072. Account Domain: NT AUTHORITY
8073. Logon ID: 0x3E7
8074.  
8075. Privileges: SeAssignPrimaryTokenPrivilege
8076. SeTcbPrivilege
8077. SeSecurityPrivilege
8078. SeTakeOwnershipPrivilege
8079. SeLoadDriverPrivilege
8080. SeBackupPrivilege
8081. SeRestorePrivilege
8082. SeDebugPrivilege
8083. SeAuditPrivilege
8084. SeSystemEnvironmentPrivilege
8085. SeImpersonatePrivilege
8086. SeDelegateSessionUserImpersonatePrivilege"
8087. Audit Success 5/2/2017 4:40:50 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8088.  
8089. Subject:
8090. Security ID: SYSTEM
8091. Account Name: DESKTOP-TM5QNT2$
8092. Account Domain: WORKGROUP
8093. Logon ID: 0x3E7
8094.  
8095. Logon Information:
8096. Logon Type: 5
8097. Restricted Admin Mode: -
8098. Virtual Account: No
8099. Elevated Token: Yes
8100.  
8101. Impersonation Level: Impersonation
8102.  
8103. New Logon:
8104. Security ID: SYSTEM
8105. Account Name: SYSTEM
8106. Account Domain: NT AUTHORITY
8107. Logon ID: 0x3E7
8108. Linked Logon ID: 0x0
8109. Network Account Name: -
8110. Network Account Domain: -
8111. Logon GUID: {00000000-0000-0000-0000-000000000000}
8112.  
8113. Process Information:
8114. Process ID: 0x2f0
8115. Process Name: C:\Windows\System32\services.exe
8116.  
8117. Network Information:
8118. Workstation Name: -
8119. Source Network Address: -
8120. Source Port: -
8121.  
8122. Detailed Authentication Information:
8123. Logon Process: Advapi
8124. Authentication Package: Negotiate
8125. Transited Services: -
8126. Package Name (NTLM only): -
8127. Key Length: 0
8128.  
8129. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8130.  
8131. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8132.  
8133. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8134.  
8135. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8136.  
8137. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8138.  
8139. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8140.  
8141. The authentication information fields provide detailed information about this specific logon request.
8142. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8143. - Transited services indicate which intermediate services have participated in this logon request.
8144. - Package name indicates which sub-protocol was used among the NTLM protocols.
8145. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8146. Audit Success 5/2/2017 4:39:57 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
8147.  
8148. Subject:
8149. Security ID: DESKTOP-TM5QNT2\Jai
8150. Account Name: Jai
8151. Account Domain: DESKTOP-TM5QNT2
8152. Logon ID: 0x44375
8153.  
8154. User:
8155. Security ID: DESKTOP-TM5QNT2\Jai
8156. Account Name: Jai
8157. Account Domain: DESKTOP-TM5QNT2
8158.  
8159. Process Information:
8160. Process ID: 0x2454
8161. Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
8162. Audit Success 5/2/2017 4:39:38 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8163.  
8164. Subject:
8165. Security ID: SYSTEM
8166. Account Name: SYSTEM
8167. Account Domain: NT AUTHORITY
8168. Logon ID: 0x3E7
8169.  
8170. Privileges: SeAssignPrimaryTokenPrivilege
8171. SeTcbPrivilege
8172. SeSecurityPrivilege
8173. SeTakeOwnershipPrivilege
8174. SeLoadDriverPrivilege
8175. SeBackupPrivilege
8176. SeRestorePrivilege
8177. SeDebugPrivilege
8178. SeAuditPrivilege
8179. SeSystemEnvironmentPrivilege
8180. SeImpersonatePrivilege
8181. SeDelegateSessionUserImpersonatePrivilege"
8182. Audit Success 5/2/2017 4:39:38 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8183.  
8184. Subject:
8185. Security ID: SYSTEM
8186. Account Name: DESKTOP-TM5QNT2$
8187. Account Domain: WORKGROUP
8188. Logon ID: 0x3E7
8189.  
8190. Logon Information:
8191. Logon Type: 5
8192. Restricted Admin Mode: -
8193. Virtual Account: No
8194. Elevated Token: Yes
8195.  
8196. Impersonation Level: Impersonation
8197.  
8198. New Logon:
8199. Security ID: SYSTEM
8200. Account Name: SYSTEM
8201. Account Domain: NT AUTHORITY
8202. Logon ID: 0x3E7
8203. Linked Logon ID: 0x0
8204. Network Account Name: -
8205. Network Account Domain: -
8206. Logon GUID: {00000000-0000-0000-0000-000000000000}
8207.  
8208. Process Information:
8209. Process ID: 0x2f0
8210. Process Name: C:\Windows\System32\services.exe
8211.  
8212. Network Information:
8213. Workstation Name: -
8214. Source Network Address: -
8215. Source Port: -
8216.  
8217. Detailed Authentication Information:
8218. Logon Process: Advapi
8219. Authentication Package: Negotiate
8220. Transited Services: -
8221. Package Name (NTLM only): -
8222. Key Length: 0
8223.  
8224. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8225.  
8226. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8227.  
8228. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8229.  
8230. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8231.  
8232. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8233.  
8234. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8235.  
8236. The authentication information fields provide detailed information about this specific logon request.
8237. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8238. - Transited services indicate which intermediate services have participated in this logon request.
8239. - Package name indicates which sub-protocol was used among the NTLM protocols.
8240. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8241. Audit Success 5/2/2017 4:39:37 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8242.  
8243. Subject:
8244. Security ID: SYSTEM
8245. Account Name: SYSTEM
8246. Account Domain: NT AUTHORITY
8247. Logon ID: 0x3E7
8248.  
8249. Privileges: SeAssignPrimaryTokenPrivilege
8250. SeTcbPrivilege
8251. SeSecurityPrivilege
8252. SeTakeOwnershipPrivilege
8253. SeLoadDriverPrivilege
8254. SeBackupPrivilege
8255. SeRestorePrivilege
8256. SeDebugPrivilege
8257. SeAuditPrivilege
8258. SeSystemEnvironmentPrivilege
8259. SeImpersonatePrivilege
8260. SeDelegateSessionUserImpersonatePrivilege"
8261. Audit Success 5/2/2017 4:39:37 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8262.  
8263. Subject:
8264. Security ID: SYSTEM
8265. Account Name: DESKTOP-TM5QNT2$
8266. Account Domain: WORKGROUP
8267. Logon ID: 0x3E7
8268.  
8269. Logon Information:
8270. Logon Type: 5
8271. Restricted Admin Mode: -
8272. Virtual Account: No
8273. Elevated Token: Yes
8274.  
8275. Impersonation Level: Impersonation
8276.  
8277. New Logon:
8278. Security ID: SYSTEM
8279. Account Name: SYSTEM
8280. Account Domain: NT AUTHORITY
8281. Logon ID: 0x3E7
8282. Linked Logon ID: 0x0
8283. Network Account Name: -
8284. Network Account Domain: -
8285. Logon GUID: {00000000-0000-0000-0000-000000000000}
8286.  
8287. Process Information:
8288. Process ID: 0x2f0
8289. Process Name: C:\Windows\System32\services.exe
8290.  
8291. Network Information:
8292. Workstation Name: -
8293. Source Network Address: -
8294. Source Port: -
8295.  
8296. Detailed Authentication Information:
8297. Logon Process: Advapi
8298. Authentication Package: Negotiate
8299. Transited Services: -
8300. Package Name (NTLM only): -
8301. Key Length: 0
8302.  
8303. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8304.  
8305. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8306.  
8307. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8308.  
8309. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8310.  
8311. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8312.  
8313. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8314.  
8315. The authentication information fields provide detailed information about this specific logon request.
8316. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8317. - Transited services indicate which intermediate services have participated in this logon request.
8318. - Package name indicates which sub-protocol was used among the NTLM protocols.
8319. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8320. Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
8321.  
8322. Subject:
8323. Security ID: DESKTOP-TM5QNT2\Jai
8324. Account Name: Jai
8325. Account Domain: DESKTOP-TM5QNT2
8326. Logon ID: 0x44375
8327.  
8328. Additional Information:
8329. Caller Workstation: DESKTOP-TM5QNT2
8330. Target Account Name: Guest
8331. Target Account Domain: DESKTOP-TM5QNT2"
8332. Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
8333.  
8334. Subject:
8335. Security ID: DESKTOP-TM5QNT2\Jai
8336. Account Name: Jai
8337. Account Domain: DESKTOP-TM5QNT2
8338. Logon ID: 0x44375
8339.  
8340. Additional Information:
8341. Caller Workstation: DESKTOP-TM5QNT2
8342. Target Account Name: DefaultAccount
8343. Target Account Domain: DESKTOP-TM5QNT2"
8344. Audit Success 5/2/2017 4:39:15 PM Microsoft-Windows-Security-Auditing 4797 User Account Management "An attempt was made to query the existence of a blank password for an account.
8345.  
8346. Subject:
8347. Security ID: DESKTOP-TM5QNT2\Jai
8348. Account Name: Jai
8349. Account Domain: DESKTOP-TM5QNT2
8350. Logon ID: 0x44375
8351.  
8352. Additional Information:
8353. Caller Workstation: DESKTOP-TM5QNT2
8354. Target Account Name: Administrator
8355. Target Account Domain: DESKTOP-TM5QNT2"
8356. Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8357.  
8358. Subject:
8359. Security ID: SYSTEM
8360. Account Name: SYSTEM
8361. Account Domain: NT AUTHORITY
8362. Logon ID: 0x3E7
8363.  
8364. Privileges: SeAssignPrimaryTokenPrivilege
8365. SeTcbPrivilege
8366. SeSecurityPrivilege
8367. SeTakeOwnershipPrivilege
8368. SeLoadDriverPrivilege
8369. SeBackupPrivilege
8370. SeRestorePrivilege
8371. SeDebugPrivilege
8372. SeAuditPrivilege
8373. SeSystemEnvironmentPrivilege
8374. SeImpersonatePrivilege
8375. SeDelegateSessionUserImpersonatePrivilege"
8376. Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8377.  
8378. Subject:
8379. Security ID: SYSTEM
8380. Account Name: DESKTOP-TM5QNT2$
8381. Account Domain: WORKGROUP
8382. Logon ID: 0x3E7
8383.  
8384. Logon Information:
8385. Logon Type: 5
8386. Restricted Admin Mode: -
8387. Virtual Account: No
8388. Elevated Token: Yes
8389.  
8390. Impersonation Level: Impersonation
8391.  
8392. New Logon:
8393. Security ID: SYSTEM
8394. Account Name: SYSTEM
8395. Account Domain: NT AUTHORITY
8396. Logon ID: 0x3E7
8397. Linked Logon ID: 0x0
8398. Network Account Name: -
8399. Network Account Domain: -
8400. Logon GUID: {00000000-0000-0000-0000-000000000000}
8401.  
8402. Process Information:
8403. Process ID: 0x2f0
8404. Process Name: C:\Windows\System32\services.exe
8405.  
8406. Network Information:
8407. Workstation Name: -
8408. Source Network Address: -
8409. Source Port: -
8410.  
8411. Detailed Authentication Information:
8412. Logon Process: Advapi
8413. Authentication Package: Negotiate
8414. Transited Services: -
8415. Package Name (NTLM only): -
8416. Key Length: 0
8417.  
8418. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8419.  
8420. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8421.  
8422. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8423.  
8424. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8425.  
8426. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8427.  
8428. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8429.  
8430. The authentication information fields provide detailed information about this specific logon request.
8431. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8432. - Transited services indicate which intermediate services have participated in this logon request.
8433. - Package name indicates which sub-protocol was used among the NTLM protocols.
8434. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8435. Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
8436.  
8437. Subject:
8438. Security ID: LOCAL SERVICE
8439. Account Name: LOCAL SERVICE
8440. Account Domain: NT AUTHORITY
8441. Logon ID: 0x3E5
8442.  
8443. Cryptographic Parameters:
8444. Provider Name: Microsoft Software Key Storage Provider
8445. Algorithm Name: ECDSA_P256
8446. Key Name: b9f2517f4754014d
8447. Key Type: User key.
8448.  
8449. Additional Information:
8450. Operation: Export of persistent cryptographic key.
8451. Return Code: 0x0"
8452. Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
8453.  
8454. Subject:
8455. Security ID: LOCAL SERVICE
8456. Account Name: LOCAL SERVICE
8457. Account Domain: NT AUTHORITY
8458. Logon ID: 0x3E5
8459.  
8460. Cryptographic Parameters:
8461. Provider Name: Microsoft Software Key Storage Provider
8462. Algorithm Name: ECDSA_P256
8463. Key Name: b9f2517f4754014d
8464. Key Type: User key.
8465.  
8466. Cryptographic Operation:
8467. Operation: Open Key.
8468. Return Code: 0x0"
8469. Audit Success 5/2/2017 4:39:14 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
8470.  
8471. Subject:
8472. Security ID: LOCAL SERVICE
8473. Account Name: LOCAL SERVICE
8474. Account Domain: NT AUTHORITY
8475. Logon ID: 0x3E5
8476.  
8477. Cryptographic Parameters:
8478. Provider Name: Microsoft Software Key Storage Provider
8479. Algorithm Name: UNKNOWN
8480. Key Name: b9f2517f4754014d
8481. Key Type: User key.
8482.  
8483. Key File Operation Information:
8484. File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\3ad54d8cdb73d107e26bb0926fb878e5_e373e90a-b40d-45c4-ac61-69a179d88b1d
8485. Operation: Read persisted key from file.
8486. Return Code: 0x0"
8487. Audit Success 5/2/2017 4:39:08 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8488.  
8489. Subject:
8490. Security ID: SYSTEM
8491. Account Name: SYSTEM
8492. Account Domain: NT AUTHORITY
8493. Logon ID: 0x3E7
8494.  
8495. Privileges: SeAssignPrimaryTokenPrivilege
8496. SeTcbPrivilege
8497. SeSecurityPrivilege
8498. SeTakeOwnershipPrivilege
8499. SeLoadDriverPrivilege
8500. SeBackupPrivilege
8501. SeRestorePrivilege
8502. SeDebugPrivilege
8503. SeAuditPrivilege
8504. SeSystemEnvironmentPrivilege
8505. SeImpersonatePrivilege
8506. SeDelegateSessionUserImpersonatePrivilege"
8507. Audit Success 5/2/2017 4:39:08 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8508.  
8509. Subject:
8510. Security ID: SYSTEM
8511. Account Name: DESKTOP-TM5QNT2$
8512. Account Domain: WORKGROUP
8513. Logon ID: 0x3E7
8514.  
8515. Logon Information:
8516. Logon Type: 5
8517. Restricted Admin Mode: -
8518. Virtual Account: No
8519. Elevated Token: Yes
8520.  
8521. Impersonation Level: Impersonation
8522.  
8523. New Logon:
8524. Security ID: SYSTEM
8525. Account Name: SYSTEM
8526. Account Domain: NT AUTHORITY
8527. Logon ID: 0x3E7
8528. Linked Logon ID: 0x0
8529. Network Account Name: -
8530. Network Account Domain: -
8531. Logon GUID: {00000000-0000-0000-0000-000000000000}
8532.  
8533. Process Information:
8534. Process ID: 0x2f0
8535. Process Name: C:\Windows\System32\services.exe
8536.  
8537. Network Information:
8538. Workstation Name: -
8539. Source Network Address: -
8540. Source Port: -
8541.  
8542. Detailed Authentication Information:
8543. Logon Process: Advapi
8544. Authentication Package: Negotiate
8545. Transited Services: -
8546. Package Name (NTLM only): -
8547. Key Length: 0
8548.  
8549. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8550.  
8551. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8552.  
8553. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8554.  
8555. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8556.  
8557. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8558.  
8559. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8560.  
8561. The authentication information fields provide detailed information about this specific logon request.
8562. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8563. - Transited services indicate which intermediate services have participated in this logon request.
8564. - Package name indicates which sub-protocol was used among the NTLM protocols.
8565. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8566. Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5059 Other System Events "Key migration operation.
8567.  
8568. Subject:
8569. Security ID: LOCAL SERVICE
8570. Account Name: LOCAL SERVICE
8571. Account Domain: NT AUTHORITY
8572. Logon ID: 0x3E5
8573.  
8574. Cryptographic Parameters:
8575. Provider Name: Microsoft Software Key Storage Provider
8576. Algorithm Name: ECDSA_P256
8577. Key Name: Microsoft Connected Devices Platform device certificate
8578. Key Type: User key.
8579.  
8580. Additional Information:
8581. Operation: Export of persistent cryptographic key.
8582. Return Code: 0x0"
8583. Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation.
8584.  
8585. Subject:
8586. Security ID: LOCAL SERVICE
8587. Account Name: LOCAL SERVICE
8588. Account Domain: NT AUTHORITY
8589. Logon ID: 0x3E5
8590.  
8591. Cryptographic Parameters:
8592. Provider Name: Microsoft Software Key Storage Provider
8593. Algorithm Name: ECDSA_P256
8594. Key Name: Microsoft Connected Devices Platform device certificate
8595. Key Type: User key.
8596.  
8597. Cryptographic Operation:
8598. Operation: Open Key.
8599. Return Code: 0x0"
8600. Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation.
8601.  
8602. Subject:
8603. Security ID: LOCAL SERVICE
8604. Account Name: LOCAL SERVICE
8605. Account Domain: NT AUTHORITY
8606. Logon ID: 0x3E5
8607.  
8608. Cryptographic Parameters:
8609. Provider Name: Microsoft Software Key Storage Provider
8610. Algorithm Name: UNKNOWN
8611. Key Name: Microsoft Connected Devices Platform device certificate
8612. Key Type: User key.
8613.  
8614. Key File Operation Information:
8615. File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e373e90a-b40d-45c4-ac61-69a179d88b1d
8616. Operation: Read persisted key from file.
8617. Return Code: 0x0"
8618. Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
8619.  
8620. Subject:
8621. Security ID: DESKTOP-TM5QNT2\Jai
8622. Account Name: Jai
8623. Account Domain: DESKTOP-TM5QNT2
8624. Logon ID: 0x44375
8625.  
8626. User:
8627. Security ID: DESKTOP-TM5QNT2\Jai
8628. Account Name: Jai
8629. Account Domain: DESKTOP-TM5QNT2
8630.  
8631. Process Information:
8632. Process ID: 0x15e4
8633. Process Name: C:\Windows\explorer.exe"
8634. Audit Success 5/2/2017 4:39:05 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
8635.  
8636. Subject:
8637. Security ID: DESKTOP-TM5QNT2\Jai
8638. Account Name: Jai
8639. Account Domain: DESKTOP-TM5QNT2
8640. Logon ID: 0x44375
8641.  
8642. User:
8643. Security ID: DESKTOP-TM5QNT2\Jai
8644. Account Name: Jai
8645. Account Domain: DESKTOP-TM5QNT2
8646.  
8647. Process Information:
8648. Process ID: 0x15e4
8649. Process Name: C:\Windows\explorer.exe"
8650. Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
8651.  
8652. Subject:
8653. Security ID: SYSTEM
8654. Account Name: DESKTOP-TM5QNT2$
8655. Account Domain: WORKGROUP
8656. Logon ID: 0x3E7
8657.  
8658. Group:
8659. Security ID: BUILTIN\Administrators
8660. Group Name: Administrators
8661. Group Domain: Builtin
8662.  
8663. Process Information:
8664. Process ID: 0x538
8665. Process Name: C:\Windows\System32\svchost.exe"
8666. Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8667.  
8668. Subject:
8669. Security ID: DESKTOP-TM5QNT2\Jai
8670. Account Name: Jai
8671. Account Domain: DESKTOP-TM5QNT2
8672. Logon ID: 0x4433C
8673.  
8674. Privileges: SeSecurityPrivilege
8675. SeTakeOwnershipPrivilege
8676. SeLoadDriverPrivilege
8677. SeBackupPrivilege
8678. SeRestorePrivilege
8679. SeDebugPrivilege
8680. SeSystemEnvironmentPrivilege
8681. SeImpersonatePrivilege
8682. SeDelegateSessionUserImpersonatePrivilege"
8683. Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8684.  
8685. Subject:
8686. Security ID: SYSTEM
8687. Account Name: DESKTOP-TM5QNT2$
8688. Account Domain: WORKGROUP
8689. Logon ID: 0x3E7
8690.  
8691. Logon Information:
8692. Logon Type: 2
8693. Restricted Admin Mode: -
8694. Virtual Account: No
8695. Elevated Token: No
8696.  
8697. Impersonation Level: Impersonation
8698.  
8699. New Logon:
8700. Security ID: DESKTOP-TM5QNT2\Jai
8701. Account Name: Jai
8702. Account Domain: DESKTOP-TM5QNT2
8703. Logon ID: 0x44375
8704. Linked Logon ID: 0x4433C
8705. Network Account Name: -
8706. Network Account Domain: -
8707. Logon GUID: {00000000-0000-0000-0000-000000000000}
8708.  
8709. Process Information:
8710. Process ID: 0x5fc
8711. Process Name: C:\Windows\System32\svchost.exe
8712.  
8713. Network Information:
8714. Workstation Name: DESKTOP-TM5QNT2
8715. Source Network Address: 127.0.0.1
8716. Source Port: 0
8717.  
8718. Detailed Authentication Information:
8719. Logon Process: User32
8720. Authentication Package: Negotiate
8721. Transited Services: -
8722. Package Name (NTLM only): -
8723. Key Length: 0
8724.  
8725. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8726.  
8727. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8728.  
8729. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8730.  
8731. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8732.  
8733. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8734.  
8735. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8736.  
8737. The authentication information fields provide detailed information about this specific logon request.
8738. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8739. - Transited services indicate which intermediate services have participated in this logon request.
8740. - Package name indicates which sub-protocol was used among the NTLM protocols.
8741. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8742. Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8743.  
8744. Subject:
8745. Security ID: SYSTEM
8746. Account Name: DESKTOP-TM5QNT2$
8747. Account Domain: WORKGROUP
8748. Logon ID: 0x3E7
8749.  
8750. Logon Information:
8751. Logon Type: 2
8752. Restricted Admin Mode: -
8753. Virtual Account: No
8754. Elevated Token: Yes
8755.  
8756. Impersonation Level: Impersonation
8757.  
8758. New Logon:
8759. Security ID: DESKTOP-TM5QNT2\Jai
8760. Account Name: Jai
8761. Account Domain: DESKTOP-TM5QNT2
8762. Logon ID: 0x4433C
8763. Linked Logon ID: 0x44375
8764. Network Account Name: -
8765. Network Account Domain: -
8766. Logon GUID: {00000000-0000-0000-0000-000000000000}
8767.  
8768. Process Information:
8769. Process ID: 0x5fc
8770. Process Name: C:\Windows\System32\svchost.exe
8771.  
8772. Network Information:
8773. Workstation Name: DESKTOP-TM5QNT2
8774. Source Network Address: 127.0.0.1
8775. Source Port: 0
8776.  
8777. Detailed Authentication Information:
8778. Logon Process: User32
8779. Authentication Package: Negotiate
8780. Transited Services: -
8781. Package Name (NTLM only): -
8782. Key Length: 0
8783.  
8784. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8785.  
8786. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8787.  
8788. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8789.  
8790. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8791.  
8792. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8793.  
8794. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8795.  
8796. The authentication information fields provide detailed information about this specific logon request.
8797. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8798. - Transited services indicate which intermediate services have participated in this logon request.
8799. - Package name indicates which sub-protocol was used among the NTLM protocols.
8800. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8801. Audit Success 5/2/2017 4:39:04 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
8802.  
8803. Subject:
8804. Security ID: SYSTEM
8805. Account Name: DESKTOP-TM5QNT2$
8806. Account Domain: WORKGROUP
8807. Logon ID: 0x3E7
8808. Logon GUID: {00000000-0000-0000-0000-000000000000}
8809.  
8810. Account Whose Credentials Were Used:
8811. Account Name: Jai
8812. Account Domain: DESKTOP-TM5QNT2
8813. Logon GUID: {00000000-0000-0000-0000-000000000000}
8814.  
8815. Target Server:
8816. Target Server Name: localhost
8817. Additional Information: localhost
8818.  
8819. Process Information:
8820. Process ID: 0x5fc
8821. Process Name: C:\Windows\System32\svchost.exe
8822.  
8823. Network Information:
8824. Network Address: 127.0.0.1
8825. Port: 0
8826.  
8827. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
8828. Audit Success 5/2/2017 4:38:56 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8829.  
8830. Subject:
8831. Security ID: SYSTEM
8832. Account Name: SYSTEM
8833. Account Domain: NT AUTHORITY
8834. Logon ID: 0x3E7
8835.  
8836. Privileges: SeAssignPrimaryTokenPrivilege
8837. SeTcbPrivilege
8838. SeSecurityPrivilege
8839. SeTakeOwnershipPrivilege
8840. SeLoadDriverPrivilege
8841. SeBackupPrivilege
8842. SeRestorePrivilege
8843. SeDebugPrivilege
8844. SeAuditPrivilege
8845. SeSystemEnvironmentPrivilege
8846. SeImpersonatePrivilege
8847. SeDelegateSessionUserImpersonatePrivilege"
8848. Audit Success 5/2/2017 4:38:56 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8849.  
8850. Subject:
8851. Security ID: SYSTEM
8852. Account Name: DESKTOP-TM5QNT2$
8853. Account Domain: WORKGROUP
8854. Logon ID: 0x3E7
8855.  
8856. Logon Information:
8857. Logon Type: 5
8858. Restricted Admin Mode: -
8859. Virtual Account: No
8860. Elevated Token: Yes
8861.  
8862. Impersonation Level: Impersonation
8863.  
8864. New Logon:
8865. Security ID: SYSTEM
8866. Account Name: SYSTEM
8867. Account Domain: NT AUTHORITY
8868. Logon ID: 0x3E7
8869. Linked Logon ID: 0x0
8870. Network Account Name: -
8871. Network Account Domain: -
8872. Logon GUID: {00000000-0000-0000-0000-000000000000}
8873.  
8874. Process Information:
8875. Process ID: 0x2f0
8876. Process Name: C:\Windows\System32\services.exe
8877.  
8878. Network Information:
8879. Workstation Name: -
8880. Source Network Address: -
8881. Source Port: -
8882.  
8883. Detailed Authentication Information:
8884. Logon Process: Advapi
8885. Authentication Package: Negotiate
8886. Transited Services: -
8887. Package Name (NTLM only): -
8888. Key Length: 0
8889.  
8890. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8891.  
8892. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8893.  
8894. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8895.  
8896. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8897.  
8898. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8899.  
8900. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8901.  
8902. The authentication information fields provide detailed information about this specific logon request.
8903. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8904. - Transited services indicate which intermediate services have participated in this logon request.
8905. - Package name indicates which sub-protocol was used among the NTLM protocols.
8906. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
8907. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
8908.  
8909. Subject:
8910. Security ID: SYSTEM
8911. Account Name: DESKTOP-TM5QNT2$
8912. Account Domain: WORKGROUP
8913. Logon ID: 0x3E7
8914.  
8915. Group:
8916. Security ID: BUILTIN\Administrators
8917. Group Name: Administrators
8918. Group Domain: Builtin
8919.  
8920. Process Information:
8921. Process ID: 0xfc8
8922. Process Name: C:\Windows\System32\SearchIndexer.exe"
8923. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
8924.  
8925. Subject:
8926. Security ID: SYSTEM
8927. Account Name: SYSTEM
8928. Account Domain: NT AUTHORITY
8929. Logon ID: 0x3E7
8930.  
8931. Privileges: SeAssignPrimaryTokenPrivilege
8932. SeTcbPrivilege
8933. SeSecurityPrivilege
8934. SeTakeOwnershipPrivilege
8935. SeLoadDriverPrivilege
8936. SeBackupPrivilege
8937. SeRestorePrivilege
8938. SeDebugPrivilege
8939. SeAuditPrivilege
8940. SeSystemEnvironmentPrivilege
8941. SeImpersonatePrivilege
8942. SeDelegateSessionUserImpersonatePrivilege"
8943. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
8944.  
8945. Subject:
8946. Security ID: SYSTEM
8947. Account Name: DESKTOP-TM5QNT2$
8948. Account Domain: WORKGROUP
8949. Logon ID: 0x3E7
8950.  
8951. Logon Information:
8952. Logon Type: 5
8953. Restricted Admin Mode: -
8954. Virtual Account: No
8955. Elevated Token: Yes
8956.  
8957. Impersonation Level: Impersonation
8958.  
8959. New Logon:
8960. Security ID: SYSTEM
8961. Account Name: SYSTEM
8962. Account Domain: NT AUTHORITY
8963. Logon ID: 0x3E7
8964. Linked Logon ID: 0x0
8965. Network Account Name: -
8966. Network Account Domain: -
8967. Logon GUID: {00000000-0000-0000-0000-000000000000}
8968.  
8969. Process Information:
8970. Process ID: 0x2f0
8971. Process Name: C:\Windows\System32\services.exe
8972.  
8973. Network Information:
8974. Workstation Name: -
8975. Source Network Address: -
8976. Source Port: -
8977.  
8978. Detailed Authentication Information:
8979. Logon Process: Advapi
8980. Authentication Package: Negotiate
8981. Transited Services: -
8982. Package Name (NTLM only): -
8983. Key Length: 0
8984.  
8985. This event is generated when a logon session is created. It is generated on the computer that was accessed.
8986.  
8987. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
8988.  
8989. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
8990.  
8991. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
8992.  
8993. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
8994.  
8995. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
8996.  
8997. The authentication information fields provide detailed information about this specific logon request.
8998. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
8999. - Transited services indicate which intermediate services have participated in this logon request.
9000. - Package name indicates which sub-protocol was used among the NTLM protocols.
9001. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9002. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
9003. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9004.  
9005. Subject:
9006. Security ID: SYSTEM
9007. Account Name: SYSTEM
9008. Account Domain: NT AUTHORITY
9009. Logon ID: 0x3E7
9010.  
9011. Privileges: SeAssignPrimaryTokenPrivilege
9012. SeTcbPrivilege
9013. SeSecurityPrivilege
9014. SeTakeOwnershipPrivilege
9015. SeLoadDriverPrivilege
9016. SeBackupPrivilege
9017. SeRestorePrivilege
9018. SeDebugPrivilege
9019. SeAuditPrivilege
9020. SeSystemEnvironmentPrivilege
9021. SeImpersonatePrivilege
9022. SeDelegateSessionUserImpersonatePrivilege"
9023. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9024.  
9025. Subject:
9026. Security ID: SYSTEM
9027. Account Name: DESKTOP-TM5QNT2$
9028. Account Domain: WORKGROUP
9029. Logon ID: 0x3E7
9030.  
9031. Logon Information:
9032. Logon Type: 5
9033. Restricted Admin Mode: -
9034. Virtual Account: No
9035. Elevated Token: Yes
9036.  
9037. Impersonation Level: Impersonation
9038.  
9039. New Logon:
9040. Security ID: SYSTEM
9041. Account Name: SYSTEM
9042. Account Domain: NT AUTHORITY
9043. Logon ID: 0x3E7
9044. Linked Logon ID: 0x0
9045. Network Account Name: -
9046. Network Account Domain: -
9047. Logon GUID: {00000000-0000-0000-0000-000000000000}
9048.  
9049. Process Information:
9050. Process ID: 0x2f0
9051. Process Name: C:\Windows\System32\services.exe
9052.  
9053. Network Information:
9054. Workstation Name: -
9055. Source Network Address: -
9056. Source Port: -
9057.  
9058. Detailed Authentication Information:
9059. Logon Process: Advapi
9060. Authentication Package: Negotiate
9061. Transited Services: -
9062. Package Name (NTLM only): -
9063. Key Length: 0
9064.  
9065. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9066.  
9067. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9068.  
9069. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9070.  
9071. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9072.  
9073. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9074.  
9075. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9076.  
9077. The authentication information fields provide detailed information about this specific logon request.
9078. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9079. - Transited services indicate which intermediate services have participated in this logon request.
9080. - Package name indicates which sub-protocol was used among the NTLM protocols.
9081. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9082. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4798 User Account Management "A user's local group membership was enumerated.
9083.  
9084. Subject:
9085. Security ID: SYSTEM
9086. Account Name: DESKTOP-TM5QNT2$
9087. Account Domain: WORKGROUP
9088. Logon ID: 0x3E7
9089.  
9090. User:
9091. Security ID: DESKTOP-TM5QNT2\Jai
9092. Account Name: Jai
9093. Account Domain: DESKTOP-TM5QNT2
9094.  
9095. Process Information:
9096. Process ID: 0x464
9097. Process Name: C:\Windows\System32\LogonUI.exe"
9098. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9099.  
9100. Subject:
9101. Security ID: SYSTEM
9102. Account Name: SYSTEM
9103. Account Domain: NT AUTHORITY
9104. Logon ID: 0x3E7
9105.  
9106. Privileges: SeAssignPrimaryTokenPrivilege
9107. SeTcbPrivilege
9108. SeSecurityPrivilege
9109. SeTakeOwnershipPrivilege
9110. SeLoadDriverPrivilege
9111. SeBackupPrivilege
9112. SeRestorePrivilege
9113. SeDebugPrivilege
9114. SeAuditPrivilege
9115. SeSystemEnvironmentPrivilege
9116. SeImpersonatePrivilege
9117. SeDelegateSessionUserImpersonatePrivilege"
9118. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9119.  
9120. Subject:
9121. Security ID: SYSTEM
9122. Account Name: DESKTOP-TM5QNT2$
9123. Account Domain: WORKGROUP
9124. Logon ID: 0x3E7
9125.  
9126. Logon Information:
9127. Logon Type: 5
9128. Restricted Admin Mode: -
9129. Virtual Account: No
9130. Elevated Token: Yes
9131.  
9132. Impersonation Level: Impersonation
9133.  
9134. New Logon:
9135. Security ID: SYSTEM
9136. Account Name: SYSTEM
9137. Account Domain: NT AUTHORITY
9138. Logon ID: 0x3E7
9139. Linked Logon ID: 0x0
9140. Network Account Name: -
9141. Network Account Domain: -
9142. Logon GUID: {00000000-0000-0000-0000-000000000000}
9143.  
9144. Process Information:
9145. Process ID: 0x2f0
9146. Process Name: C:\Windows\System32\services.exe
9147.  
9148. Network Information:
9149. Workstation Name: -
9150. Source Network Address: -
9151. Source Port: -
9152.  
9153. Detailed Authentication Information:
9154. Logon Process: Advapi
9155. Authentication Package: Negotiate
9156. Transited Services: -
9157. Package Name (NTLM only): -
9158. Key Length: 0
9159.  
9160. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9161.  
9162. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9163.  
9164. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9165.  
9166. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9167.  
9168. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9169.  
9170. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9171.  
9172. The authentication information fields provide detailed information about this specific logon request.
9173. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9174. - Transited services indicate which intermediate services have participated in this logon request.
9175. - Package name indicates which sub-protocol was used among the NTLM protocols.
9176. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9177. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
9178.  
9179. Subject:
9180. Security ID: SYSTEM
9181. Account Name: DESKTOP-TM5QNT2$
9182. Account Domain: WORKGROUP
9183. Logon ID: 0x3E7
9184.  
9185. Group:
9186. Security ID: BUILTIN\Administrators
9187. Group Name: Administrators
9188. Group Domain: Builtin
9189.  
9190. Process Information:
9191. Process ID: 0x888
9192. Process Name: C:\Windows\System32\svchost.exe"
9193. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9194.  
9195. Subject:
9196. Security ID: NULL SID
9197. Account Name: -
9198. Account Domain: -
9199. Logon ID: 0x0
9200.  
9201. Logon Information:
9202. Logon Type: 3
9203. Restricted Admin Mode: -
9204. Virtual Account: No
9205. Elevated Token: No
9206.  
9207. Impersonation Level: Impersonation
9208.  
9209. New Logon:
9210. Security ID: ANONYMOUS LOGON
9211. Account Name: ANONYMOUS LOGON
9212. Account Domain: NT AUTHORITY
9213. Logon ID: 0x28422
9214. Linked Logon ID: 0x0
9215. Network Account Name: -
9216. Network Account Domain: -
9217. Logon GUID: {00000000-0000-0000-0000-000000000000}
9218.  
9219. Process Information:
9220. Process ID: 0x0
9221. Process Name: -
9222.  
9223. Network Information:
9224. Workstation Name: -
9225. Source Network Address: -
9226. Source Port: -
9227.  
9228. Detailed Authentication Information:
9229. Logon Process: NtLmSsp
9230. Authentication Package: NTLM
9231. Transited Services: -
9232. Package Name (NTLM only): NTLM V1
9233. Key Length: 0
9234.  
9235. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9236.  
9237. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9238.  
9239. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9240.  
9241. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9242.  
9243. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9244.  
9245. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9246.  
9247. The authentication information fields provide detailed information about this specific logon request.
9248. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9249. - Transited services indicate which intermediate services have participated in this logon request.
9250. - Package name indicates which sub-protocol was used among the NTLM protocols.
9251. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9252. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
9253.  
9254. Subject:
9255. Security ID: SYSTEM
9256. Account Name: DESKTOP-TM5QNT2$
9257. Account Domain: WORKGROUP
9258. Logon ID: 0x3E7
9259.  
9260. Group:
9261. Security ID: BUILTIN\Administrators
9262. Group Name: Administrators
9263. Group Domain: Builtin
9264.  
9265. Process Information:
9266. Process ID: 0xc20
9267. Process Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
9268. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4799 Security Group Management "A security-enabled local group membership was enumerated.
9269.  
9270. Subject:
9271. Security ID: NETWORK SERVICE
9272. Account Name: DESKTOP-TM5QNT2$
9273. Account Domain: WORKGROUP
9274. Logon ID: 0x3E4
9275.  
9276. Group:
9277. Security ID: BUILTIN\Administrators
9278. Group Name: Administrators
9279. Group Domain: Builtin
9280.  
9281. Process Information:
9282. Process ID: 0xbd4
9283. Process Name: C:\Windows\System32\svchost.exe"
9284. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9285.  
9286. Subject:
9287. Security ID: SYSTEM
9288. Account Name: SYSTEM
9289. Account Domain: NT AUTHORITY
9290. Logon ID: 0x3E7
9291.  
9292. Privileges: SeAssignPrimaryTokenPrivilege
9293. SeTcbPrivilege
9294. SeSecurityPrivilege
9295. SeTakeOwnershipPrivilege
9296. SeLoadDriverPrivilege
9297. SeBackupPrivilege
9298. SeRestorePrivilege
9299. SeDebugPrivilege
9300. SeAuditPrivilege
9301. SeSystemEnvironmentPrivilege
9302. SeImpersonatePrivilege
9303. SeDelegateSessionUserImpersonatePrivilege"
9304. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9305.  
9306. Subject:
9307. Security ID: SYSTEM
9308. Account Name: DESKTOP-TM5QNT2$
9309. Account Domain: WORKGROUP
9310. Logon ID: 0x3E7
9311.  
9312. Logon Information:
9313. Logon Type: 5
9314. Restricted Admin Mode: -
9315. Virtual Account: No
9316. Elevated Token: Yes
9317.  
9318. Impersonation Level: Impersonation
9319.  
9320. New Logon:
9321. Security ID: SYSTEM
9322. Account Name: SYSTEM
9323. Account Domain: NT AUTHORITY
9324. Logon ID: 0x3E7
9325. Linked Logon ID: 0x0
9326. Network Account Name: -
9327. Network Account Domain: -
9328. Logon GUID: {00000000-0000-0000-0000-000000000000}
9329.  
9330. Process Information:
9331. Process ID: 0x2f0
9332. Process Name: C:\Windows\System32\services.exe
9333.  
9334. Network Information:
9335. Workstation Name: -
9336. Source Network Address: -
9337. Source Port: -
9338.  
9339. Detailed Authentication Information:
9340. Logon Process: Advapi
9341. Authentication Package: Negotiate
9342. Transited Services: -
9343. Package Name (NTLM only): -
9344. Key Length: 0
9345.  
9346. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9347.  
9348. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9349.  
9350. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9351.  
9352. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9353.  
9354. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9355.  
9356. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9357.  
9358. The authentication information fields provide detailed information about this specific logon request.
9359. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9360. - Transited services indicate which intermediate services have participated in this logon request.
9361. - Package name indicates which sub-protocol was used among the NTLM protocols.
9362. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9363. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9364.  
9365. Subject:
9366. Security ID: SYSTEM
9367. Account Name: SYSTEM
9368. Account Domain: NT AUTHORITY
9369. Logon ID: 0x3E7
9370.  
9371. Privileges: SeAssignPrimaryTokenPrivilege
9372. SeTcbPrivilege
9373. SeSecurityPrivilege
9374. SeTakeOwnershipPrivilege
9375. SeLoadDriverPrivilege
9376. SeBackupPrivilege
9377. SeRestorePrivilege
9378. SeDebugPrivilege
9379. SeAuditPrivilege
9380. SeSystemEnvironmentPrivilege
9381. SeImpersonatePrivilege
9382. SeDelegateSessionUserImpersonatePrivilege"
9383. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9384.  
9385. Subject:
9386. Security ID: SYSTEM
9387. Account Name: DESKTOP-TM5QNT2$
9388. Account Domain: WORKGROUP
9389. Logon ID: 0x3E7
9390.  
9391. Logon Information:
9392. Logon Type: 5
9393. Restricted Admin Mode: -
9394. Virtual Account: No
9395. Elevated Token: Yes
9396.  
9397. Impersonation Level: Impersonation
9398.  
9399. New Logon:
9400. Security ID: SYSTEM
9401. Account Name: SYSTEM
9402. Account Domain: NT AUTHORITY
9403. Logon ID: 0x3E7
9404. Linked Logon ID: 0x0
9405. Network Account Name: -
9406. Network Account Domain: -
9407. Logon GUID: {00000000-0000-0000-0000-000000000000}
9408.  
9409. Process Information:
9410. Process ID: 0x2f0
9411. Process Name: C:\Windows\System32\services.exe
9412.  
9413. Network Information:
9414. Workstation Name: -
9415. Source Network Address: -
9416. Source Port: -
9417.  
9418. Detailed Authentication Information:
9419. Logon Process: Advapi
9420. Authentication Package: Negotiate
9421. Transited Services: -
9422. Package Name (NTLM only): -
9423. Key Length: 0
9424.  
9425. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9426.  
9427. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9428.  
9429. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9430.  
9431. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9432.  
9433. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9434.  
9435. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9436.  
9437. The authentication information fields provide detailed information about this specific logon request.
9438. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9439. - Transited services indicate which intermediate services have participated in this logon request.
9440. - Package name indicates which sub-protocol was used among the NTLM protocols.
9441. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9442. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9443.  
9444. Subject:
9445. Security ID: SYSTEM
9446. Account Name: SYSTEM
9447. Account Domain: NT AUTHORITY
9448. Logon ID: 0x3E7
9449.  
9450. Privileges: SeAssignPrimaryTokenPrivilege
9451. SeTcbPrivilege
9452. SeSecurityPrivilege
9453. SeTakeOwnershipPrivilege
9454. SeLoadDriverPrivilege
9455. SeBackupPrivilege
9456. SeRestorePrivilege
9457. SeDebugPrivilege
9458. SeAuditPrivilege
9459. SeSystemEnvironmentPrivilege
9460. SeImpersonatePrivilege
9461. SeDelegateSessionUserImpersonatePrivilege"
9462. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9463.  
9464. Subject:
9465. Security ID: SYSTEM
9466. Account Name: DESKTOP-TM5QNT2$
9467. Account Domain: WORKGROUP
9468. Logon ID: 0x3E7
9469.  
9470. Logon Information:
9471. Logon Type: 5
9472. Restricted Admin Mode: -
9473. Virtual Account: No
9474. Elevated Token: Yes
9475.  
9476. Impersonation Level: Impersonation
9477.  
9478. New Logon:
9479. Security ID: SYSTEM
9480. Account Name: SYSTEM
9481. Account Domain: NT AUTHORITY
9482. Logon ID: 0x3E7
9483. Linked Logon ID: 0x0
9484. Network Account Name: -
9485. Network Account Domain: -
9486. Logon GUID: {00000000-0000-0000-0000-000000000000}
9487.  
9488. Process Information:
9489. Process ID: 0x2f0
9490. Process Name: C:\Windows\System32\services.exe
9491.  
9492. Network Information:
9493. Workstation Name: -
9494. Source Network Address: -
9495. Source Port: -
9496.  
9497. Detailed Authentication Information:
9498. Logon Process: Advapi
9499. Authentication Package: Negotiate
9500. Transited Services: -
9501. Package Name (NTLM only): -
9502. Key Length: 0
9503.  
9504. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9505.  
9506. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9507.  
9508. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9509.  
9510. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9511.  
9512. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9513.  
9514. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9515.  
9516. The authentication information fields provide detailed information about this specific logon request.
9517. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9518. - Transited services indicate which intermediate services have participated in this logon request.
9519. - Package name indicates which sub-protocol was used among the NTLM protocols.
9520. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9521. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9522.  
9523. Subject:
9524. Security ID: SYSTEM
9525. Account Name: SYSTEM
9526. Account Domain: NT AUTHORITY
9527. Logon ID: 0x3E7
9528.  
9529. Privileges: SeAssignPrimaryTokenPrivilege
9530. SeTcbPrivilege
9531. SeSecurityPrivilege
9532. SeTakeOwnershipPrivilege
9533. SeLoadDriverPrivilege
9534. SeBackupPrivilege
9535. SeRestorePrivilege
9536. SeDebugPrivilege
9537. SeAuditPrivilege
9538. SeSystemEnvironmentPrivilege
9539. SeImpersonatePrivilege
9540. SeDelegateSessionUserImpersonatePrivilege"
9541. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9542.  
9543. Subject:
9544. Security ID: SYSTEM
9545. Account Name: DESKTOP-TM5QNT2$
9546. Account Domain: WORKGROUP
9547. Logon ID: 0x3E7
9548.  
9549. Logon Information:
9550. Logon Type: 5
9551. Restricted Admin Mode: -
9552. Virtual Account: No
9553. Elevated Token: Yes
9554.  
9555. Impersonation Level: Impersonation
9556.  
9557. New Logon:
9558. Security ID: SYSTEM
9559. Account Name: SYSTEM
9560. Account Domain: NT AUTHORITY
9561. Logon ID: 0x3E7
9562. Linked Logon ID: 0x0
9563. Network Account Name: -
9564. Network Account Domain: -
9565. Logon GUID: {00000000-0000-0000-0000-000000000000}
9566.  
9567. Process Information:
9568. Process ID: 0x2f0
9569. Process Name: C:\Windows\System32\services.exe
9570.  
9571. Network Information:
9572. Workstation Name: -
9573. Source Network Address: -
9574. Source Port: -
9575.  
9576. Detailed Authentication Information:
9577. Logon Process: Advapi
9578. Authentication Package: Negotiate
9579. Transited Services: -
9580. Package Name (NTLM only): -
9581. Key Length: 0
9582.  
9583. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9584.  
9585. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9586.  
9587. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9588.  
9589. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9590.  
9591. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9592.  
9593. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9594.  
9595. The authentication information fields provide detailed information about this specific logon request.
9596. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9597. - Transited services indicate which intermediate services have participated in this logon request.
9598. - Package name indicates which sub-protocol was used among the NTLM protocols.
9599. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9600. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9601.  
9602. Subject:
9603. Security ID: SYSTEM
9604. Account Name: SYSTEM
9605. Account Domain: NT AUTHORITY
9606. Logon ID: 0x3E7
9607.  
9608. Privileges: SeAssignPrimaryTokenPrivilege
9609. SeTcbPrivilege
9610. SeSecurityPrivilege
9611. SeTakeOwnershipPrivilege
9612. SeLoadDriverPrivilege
9613. SeBackupPrivilege
9614. SeRestorePrivilege
9615. SeDebugPrivilege
9616. SeAuditPrivilege
9617. SeSystemEnvironmentPrivilege
9618. SeImpersonatePrivilege
9619. SeDelegateSessionUserImpersonatePrivilege"
9620. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9621.  
9622. Subject:
9623. Security ID: SYSTEM
9624. Account Name: DESKTOP-TM5QNT2$
9625. Account Domain: WORKGROUP
9626. Logon ID: 0x3E7
9627.  
9628. Logon Information:
9629. Logon Type: 5
9630. Restricted Admin Mode: -
9631. Virtual Account: No
9632. Elevated Token: Yes
9633.  
9634. Impersonation Level: Impersonation
9635.  
9636. New Logon:
9637. Security ID: SYSTEM
9638. Account Name: SYSTEM
9639. Account Domain: NT AUTHORITY
9640. Logon ID: 0x3E7
9641. Linked Logon ID: 0x0
9642. Network Account Name: -
9643. Network Account Domain: -
9644. Logon GUID: {00000000-0000-0000-0000-000000000000}
9645.  
9646. Process Information:
9647. Process ID: 0x2f0
9648. Process Name: C:\Windows\System32\services.exe
9649.  
9650. Network Information:
9651. Workstation Name: -
9652. Source Network Address: -
9653. Source Port: -
9654.  
9655. Detailed Authentication Information:
9656. Logon Process: Advapi
9657. Authentication Package: Negotiate
9658. Transited Services: -
9659. Package Name (NTLM only): -
9660. Key Length: 0
9661.  
9662. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9663.  
9664. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9665.  
9666. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9667.  
9668. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9669.  
9670. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9671.  
9672. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9673.  
9674. The authentication information fields provide detailed information about this specific logon request.
9675. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9676. - Transited services indicate which intermediate services have participated in this logon request.
9677. - Package name indicates which sub-protocol was used among the NTLM protocols.
9678. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9679. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9680.  
9681. Subject:
9682. Security ID: SYSTEM
9683. Account Name: SYSTEM
9684. Account Domain: NT AUTHORITY
9685. Logon ID: 0x3E7
9686.  
9687. Privileges: SeAssignPrimaryTokenPrivilege
9688. SeTcbPrivilege
9689. SeSecurityPrivilege
9690. SeTakeOwnershipPrivilege
9691. SeLoadDriverPrivilege
9692. SeBackupPrivilege
9693. SeRestorePrivilege
9694. SeDebugPrivilege
9695. SeAuditPrivilege
9696. SeSystemEnvironmentPrivilege
9697. SeImpersonatePrivilege
9698. SeDelegateSessionUserImpersonatePrivilege"
9699. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9700.  
9701. Subject:
9702. Security ID: SYSTEM
9703. Account Name: DESKTOP-TM5QNT2$
9704. Account Domain: WORKGROUP
9705. Logon ID: 0x3E7
9706.  
9707. Logon Information:
9708. Logon Type: 5
9709. Restricted Admin Mode: -
9710. Virtual Account: No
9711. Elevated Token: Yes
9712.  
9713. Impersonation Level: Impersonation
9714.  
9715. New Logon:
9716. Security ID: SYSTEM
9717. Account Name: SYSTEM
9718. Account Domain: NT AUTHORITY
9719. Logon ID: 0x3E7
9720. Linked Logon ID: 0x0
9721. Network Account Name: -
9722. Network Account Domain: -
9723. Logon GUID: {00000000-0000-0000-0000-000000000000}
9724.  
9725. Process Information:
9726. Process ID: 0x2f0
9727. Process Name: C:\Windows\System32\services.exe
9728.  
9729. Network Information:
9730. Workstation Name: -
9731. Source Network Address: -
9732. Source Port: -
9733.  
9734. Detailed Authentication Information:
9735. Logon Process: Advapi
9736. Authentication Package: Negotiate
9737. Transited Services: -
9738. Package Name (NTLM only): -
9739. Key Length: 0
9740.  
9741. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9742.  
9743. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9744.  
9745. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9746.  
9747. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9748.  
9749. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9750.  
9751. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9752.  
9753. The authentication information fields provide detailed information about this specific logon request.
9754. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9755. - Transited services indicate which intermediate services have participated in this logon request.
9756. - Package name indicates which sub-protocol was used among the NTLM protocols.
9757. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9758. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9759.  
9760. Subject:
9761. Security ID: SYSTEM
9762. Account Name: SYSTEM
9763. Account Domain: NT AUTHORITY
9764. Logon ID: 0x3E7
9765.  
9766. Privileges: SeAssignPrimaryTokenPrivilege
9767. SeTcbPrivilege
9768. SeSecurityPrivilege
9769. SeTakeOwnershipPrivilege
9770. SeLoadDriverPrivilege
9771. SeBackupPrivilege
9772. SeRestorePrivilege
9773. SeDebugPrivilege
9774. SeAuditPrivilege
9775. SeSystemEnvironmentPrivilege
9776. SeImpersonatePrivilege
9777. SeDelegateSessionUserImpersonatePrivilege"
9778. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9779.  
9780. Subject:
9781. Security ID: SYSTEM
9782. Account Name: DESKTOP-TM5QNT2$
9783. Account Domain: WORKGROUP
9784. Logon ID: 0x3E7
9785.  
9786. Logon Information:
9787. Logon Type: 5
9788. Restricted Admin Mode: -
9789. Virtual Account: No
9790. Elevated Token: Yes
9791.  
9792. Impersonation Level: Impersonation
9793.  
9794. New Logon:
9795. Security ID: SYSTEM
9796. Account Name: SYSTEM
9797. Account Domain: NT AUTHORITY
9798. Logon ID: 0x3E7
9799. Linked Logon ID: 0x0
9800. Network Account Name: -
9801. Network Account Domain: -
9802. Logon GUID: {00000000-0000-0000-0000-000000000000}
9803.  
9804. Process Information:
9805. Process ID: 0x2f0
9806. Process Name: C:\Windows\System32\services.exe
9807.  
9808. Network Information:
9809. Workstation Name: -
9810. Source Network Address: -
9811. Source Port: -
9812.  
9813. Detailed Authentication Information:
9814. Logon Process: Advapi
9815. Authentication Package: Negotiate
9816. Transited Services: -
9817. Package Name (NTLM only): -
9818. Key Length: 0
9819.  
9820. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9821.  
9822. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9823.  
9824. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9825.  
9826. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9827.  
9828. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9829.  
9830. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9831.  
9832. The authentication information fields provide detailed information about this specific logon request.
9833. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9834. - Transited services indicate which intermediate services have participated in this logon request.
9835. - Package name indicates which sub-protocol was used among the NTLM protocols.
9836. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9837. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9838.  
9839. Subject:
9840. Security ID: SYSTEM
9841. Account Name: SYSTEM
9842. Account Domain: NT AUTHORITY
9843. Logon ID: 0x3E7
9844.  
9845. Privileges: SeAssignPrimaryTokenPrivilege
9846. SeTcbPrivilege
9847. SeSecurityPrivilege
9848. SeTakeOwnershipPrivilege
9849. SeLoadDriverPrivilege
9850. SeBackupPrivilege
9851. SeRestorePrivilege
9852. SeDebugPrivilege
9853. SeAuditPrivilege
9854. SeSystemEnvironmentPrivilege
9855. SeImpersonatePrivilege
9856. SeDelegateSessionUserImpersonatePrivilege"
9857. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9858.  
9859. Subject:
9860. Security ID: SYSTEM
9861. Account Name: DESKTOP-TM5QNT2$
9862. Account Domain: WORKGROUP
9863. Logon ID: 0x3E7
9864.  
9865. Logon Information:
9866. Logon Type: 5
9867. Restricted Admin Mode: -
9868. Virtual Account: No
9869. Elevated Token: Yes
9870.  
9871. Impersonation Level: Impersonation
9872.  
9873. New Logon:
9874. Security ID: SYSTEM
9875. Account Name: SYSTEM
9876. Account Domain: NT AUTHORITY
9877. Logon ID: 0x3E7
9878. Linked Logon ID: 0x0
9879. Network Account Name: -
9880. Network Account Domain: -
9881. Logon GUID: {00000000-0000-0000-0000-000000000000}
9882.  
9883. Process Information:
9884. Process ID: 0x2f0
9885. Process Name: C:\Windows\System32\services.exe
9886.  
9887. Network Information:
9888. Workstation Name: -
9889. Source Network Address: -
9890. Source Port: -
9891.  
9892. Detailed Authentication Information:
9893. Logon Process: Advapi
9894. Authentication Package: Negotiate
9895. Transited Services: -
9896. Package Name (NTLM only): -
9897. Key Length: 0
9898.  
9899. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9900.  
9901. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9902.  
9903. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9904.  
9905. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9906.  
9907. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9908.  
9909. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9910.  
9911. The authentication information fields provide detailed information about this specific logon request.
9912. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9913. - Transited services indicate which intermediate services have participated in this logon request.
9914. - Package name indicates which sub-protocol was used among the NTLM protocols.
9915. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9916. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9917.  
9918. Subject:
9919. Security ID: SYSTEM
9920. Account Name: SYSTEM
9921. Account Domain: NT AUTHORITY
9922. Logon ID: 0x3E7
9923.  
9924. Privileges: SeAssignPrimaryTokenPrivilege
9925. SeTcbPrivilege
9926. SeSecurityPrivilege
9927. SeTakeOwnershipPrivilege
9928. SeLoadDriverPrivilege
9929. SeBackupPrivilege
9930. SeRestorePrivilege
9931. SeDebugPrivilege
9932. SeAuditPrivilege
9933. SeSystemEnvironmentPrivilege
9934. SeImpersonatePrivilege
9935. SeDelegateSessionUserImpersonatePrivilege"
9936. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
9937.  
9938. Subject:
9939. Security ID: SYSTEM
9940. Account Name: DESKTOP-TM5QNT2$
9941. Account Domain: WORKGROUP
9942. Logon ID: 0x3E7
9943.  
9944. Logon Information:
9945. Logon Type: 5
9946. Restricted Admin Mode: -
9947. Virtual Account: No
9948. Elevated Token: Yes
9949.  
9950. Impersonation Level: Impersonation
9951.  
9952. New Logon:
9953. Security ID: SYSTEM
9954. Account Name: SYSTEM
9955. Account Domain: NT AUTHORITY
9956. Logon ID: 0x3E7
9957. Linked Logon ID: 0x0
9958. Network Account Name: -
9959. Network Account Domain: -
9960. Logon GUID: {00000000-0000-0000-0000-000000000000}
9961.  
9962. Process Information:
9963. Process ID: 0x2f0
9964. Process Name: C:\Windows\System32\services.exe
9965.  
9966. Network Information:
9967. Workstation Name: -
9968. Source Network Address: -
9969. Source Port: -
9970.  
9971. Detailed Authentication Information:
9972. Logon Process: Advapi
9973. Authentication Package: Negotiate
9974. Transited Services: -
9975. Package Name (NTLM only): -
9976. Key Length: 0
9977.  
9978. This event is generated when a logon session is created. It is generated on the computer that was accessed.
9979.  
9980. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
9981.  
9982. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
9983.  
9984. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
9985.  
9986. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
9987.  
9988. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
9989.  
9990. The authentication information fields provide detailed information about this specific logon request.
9991. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
9992. - Transited services indicate which intermediate services have participated in this logon request.
9993. - Package name indicates which sub-protocol was used among the NTLM protocols.
9994. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
9995. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
9996.  
9997. Subject:
9998. Security ID: SYSTEM
9999. Account Name: SYSTEM
10000. Account Domain: NT AUTHORITY
10001. Logon ID: 0x3E7
10002.  
10003. Privileges: SeAssignPrimaryTokenPrivilege
10004. SeTcbPrivilege
10005. SeSecurityPrivilege
10006. SeTakeOwnershipPrivilege
10007. SeLoadDriverPrivilege
10008. SeBackupPrivilege
10009. SeRestorePrivilege
10010. SeDebugPrivilege
10011. SeAuditPrivilege
10012. SeSystemEnvironmentPrivilege
10013. SeImpersonatePrivilege
10014. SeDelegateSessionUserImpersonatePrivilege"
10015. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10016.  
10017. Subject:
10018. Security ID: SYSTEM
10019. Account Name: DESKTOP-TM5QNT2$
10020. Account Domain: WORKGROUP
10021. Logon ID: 0x3E7
10022.  
10023. Logon Information:
10024. Logon Type: 5
10025. Restricted Admin Mode: -
10026. Virtual Account: No
10027. Elevated Token: Yes
10028.  
10029. Impersonation Level: Impersonation
10030.  
10031. New Logon:
10032. Security ID: SYSTEM
10033. Account Name: SYSTEM
10034. Account Domain: NT AUTHORITY
10035. Logon ID: 0x3E7
10036. Linked Logon ID: 0x0
10037. Network Account Name: -
10038. Network Account Domain: -
10039. Logon GUID: {00000000-0000-0000-0000-000000000000}
10040.  
10041. Process Information:
10042. Process ID: 0x2f0
10043. Process Name: C:\Windows\System32\services.exe
10044.  
10045. Network Information:
10046. Workstation Name: -
10047. Source Network Address: -
10048. Source Port: -
10049.  
10050. Detailed Authentication Information:
10051. Logon Process: Advapi
10052. Authentication Package: Negotiate
10053. Transited Services: -
10054. Package Name (NTLM only): -
10055. Key Length: 0
10056.  
10057. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10058.  
10059. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10060.  
10061. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10062.  
10063. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10064.  
10065. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10066.  
10067. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10068.  
10069. The authentication information fields provide detailed information about this specific logon request.
10070. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10071. - Transited services indicate which intermediate services have participated in this logon request.
10072. - Package name indicates which sub-protocol was used among the NTLM protocols.
10073. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10074. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10075.  
10076. Subject:
10077. Security ID: SYSTEM
10078. Account Name: SYSTEM
10079. Account Domain: NT AUTHORITY
10080. Logon ID: 0x3E7
10081.  
10082. Privileges: SeAssignPrimaryTokenPrivilege
10083. SeTcbPrivilege
10084. SeSecurityPrivilege
10085. SeTakeOwnershipPrivilege
10086. SeLoadDriverPrivilege
10087. SeBackupPrivilege
10088. SeRestorePrivilege
10089. SeDebugPrivilege
10090. SeAuditPrivilege
10091. SeSystemEnvironmentPrivilege
10092. SeImpersonatePrivilege
10093. SeDelegateSessionUserImpersonatePrivilege"
10094. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10095.  
10096. Subject:
10097. Security ID: SYSTEM
10098. Account Name: DESKTOP-TM5QNT2$
10099. Account Domain: WORKGROUP
10100. Logon ID: 0x3E7
10101.  
10102. Logon Information:
10103. Logon Type: 5
10104. Restricted Admin Mode: -
10105. Virtual Account: No
10106. Elevated Token: Yes
10107.  
10108. Impersonation Level: Impersonation
10109.  
10110. New Logon:
10111. Security ID: SYSTEM
10112. Account Name: SYSTEM
10113. Account Domain: NT AUTHORITY
10114. Logon ID: 0x3E7
10115. Linked Logon ID: 0x0
10116. Network Account Name: -
10117. Network Account Domain: -
10118. Logon GUID: {00000000-0000-0000-0000-000000000000}
10119.  
10120. Process Information:
10121. Process ID: 0x2f0
10122. Process Name: C:\Windows\System32\services.exe
10123.  
10124. Network Information:
10125. Workstation Name: -
10126. Source Network Address: -
10127. Source Port: -
10128.  
10129. Detailed Authentication Information:
10130. Logon Process: Advapi
10131. Authentication Package: Negotiate
10132. Transited Services: -
10133. Package Name (NTLM only): -
10134. Key Length: 0
10135.  
10136. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10137.  
10138. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10139.  
10140. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10141.  
10142. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10143.  
10144. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10145.  
10146. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10147.  
10148. The authentication information fields provide detailed information about this specific logon request.
10149. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10150. - Transited services indicate which intermediate services have participated in this logon request.
10151. - Package name indicates which sub-protocol was used among the NTLM protocols.
10152. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10153. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10154.  
10155. Subject:
10156. Security ID: SYSTEM
10157. Account Name: SYSTEM
10158. Account Domain: NT AUTHORITY
10159. Logon ID: 0x3E7
10160.  
10161. Privileges: SeAssignPrimaryTokenPrivilege
10162. SeTcbPrivilege
10163. SeSecurityPrivilege
10164. SeTakeOwnershipPrivilege
10165. SeLoadDriverPrivilege
10166. SeBackupPrivilege
10167. SeRestorePrivilege
10168. SeDebugPrivilege
10169. SeAuditPrivilege
10170. SeSystemEnvironmentPrivilege
10171. SeImpersonatePrivilege
10172. SeDelegateSessionUserImpersonatePrivilege"
10173. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10174.  
10175. Subject:
10176. Security ID: SYSTEM
10177. Account Name: DESKTOP-TM5QNT2$
10178. Account Domain: WORKGROUP
10179. Logon ID: 0x3E7
10180.  
10181. Logon Information:
10182. Logon Type: 5
10183. Restricted Admin Mode: -
10184. Virtual Account: No
10185. Elevated Token: Yes
10186.  
10187. Impersonation Level: Impersonation
10188.  
10189. New Logon:
10190. Security ID: SYSTEM
10191. Account Name: SYSTEM
10192. Account Domain: NT AUTHORITY
10193. Logon ID: 0x3E7
10194. Linked Logon ID: 0x0
10195. Network Account Name: -
10196. Network Account Domain: -
10197. Logon GUID: {00000000-0000-0000-0000-000000000000}
10198.  
10199. Process Information:
10200. Process ID: 0x2f0
10201. Process Name: C:\Windows\System32\services.exe
10202.  
10203. Network Information:
10204. Workstation Name: -
10205. Source Network Address: -
10206. Source Port: -
10207.  
10208. Detailed Authentication Information:
10209. Logon Process: Advapi
10210. Authentication Package: Negotiate
10211. Transited Services: -
10212. Package Name (NTLM only): -
10213. Key Length: 0
10214.  
10215. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10216.  
10217. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10218.  
10219. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10220.  
10221. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10222.  
10223. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10224.  
10225. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10226.  
10227. The authentication information fields provide detailed information about this specific logon request.
10228. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10229. - Transited services indicate which intermediate services have participated in this logon request.
10230. - Package name indicates which sub-protocol was used among the NTLM protocols.
10231. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10232. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10233.  
10234. Subject:
10235. Security ID: SYSTEM
10236. Account Name: SYSTEM
10237. Account Domain: NT AUTHORITY
10238. Logon ID: 0x3E7
10239.  
10240. Privileges: SeAssignPrimaryTokenPrivilege
10241. SeTcbPrivilege
10242. SeSecurityPrivilege
10243. SeTakeOwnershipPrivilege
10244. SeLoadDriverPrivilege
10245. SeBackupPrivilege
10246. SeRestorePrivilege
10247. SeDebugPrivilege
10248. SeAuditPrivilege
10249. SeSystemEnvironmentPrivilege
10250. SeImpersonatePrivilege
10251. SeDelegateSessionUserImpersonatePrivilege"
10252. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10253.  
10254. Subject:
10255. Security ID: SYSTEM
10256. Account Name: DESKTOP-TM5QNT2$
10257. Account Domain: WORKGROUP
10258. Logon ID: 0x3E7
10259.  
10260. Logon Information:
10261. Logon Type: 5
10262. Restricted Admin Mode: -
10263. Virtual Account: No
10264. Elevated Token: Yes
10265.  
10266. Impersonation Level: Impersonation
10267.  
10268. New Logon:
10269. Security ID: SYSTEM
10270. Account Name: SYSTEM
10271. Account Domain: NT AUTHORITY
10272. Logon ID: 0x3E7
10273. Linked Logon ID: 0x0
10274. Network Account Name: -
10275. Network Account Domain: -
10276. Logon GUID: {00000000-0000-0000-0000-000000000000}
10277.  
10278. Process Information:
10279. Process ID: 0x2f0
10280. Process Name: C:\Windows\System32\services.exe
10281.  
10282. Network Information:
10283. Workstation Name: -
10284. Source Network Address: -
10285. Source Port: -
10286.  
10287. Detailed Authentication Information:
10288. Logon Process: Advapi
10289. Authentication Package: Negotiate
10290. Transited Services: -
10291. Package Name (NTLM only): -
10292. Key Length: 0
10293.  
10294. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10295.  
10296. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10297.  
10298. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10299.  
10300. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10301.  
10302. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10303.  
10304. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10305.  
10306. The authentication information fields provide detailed information about this specific logon request.
10307. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10308. - Transited services indicate which intermediate services have participated in this logon request.
10309. - Package name indicates which sub-protocol was used among the NTLM protocols.
10310. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10311. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
10312. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10313.  
10314. Subject:
10315. Security ID: SYSTEM
10316. Account Name: SYSTEM
10317. Account Domain: NT AUTHORITY
10318. Logon ID: 0x3E7
10319.  
10320. Privileges: SeAssignPrimaryTokenPrivilege
10321. SeTcbPrivilege
10322. SeSecurityPrivilege
10323. SeTakeOwnershipPrivilege
10324. SeLoadDriverPrivilege
10325. SeBackupPrivilege
10326. SeRestorePrivilege
10327. SeDebugPrivilege
10328. SeAuditPrivilege
10329. SeSystemEnvironmentPrivilege
10330. SeImpersonatePrivilege
10331. SeDelegateSessionUserImpersonatePrivilege"
10332. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10333.  
10334. Subject:
10335. Security ID: SYSTEM
10336. Account Name: DESKTOP-TM5QNT2$
10337. Account Domain: WORKGROUP
10338. Logon ID: 0x3E7
10339.  
10340. Logon Information:
10341. Logon Type: 5
10342. Restricted Admin Mode: -
10343. Virtual Account: No
10344. Elevated Token: Yes
10345.  
10346. Impersonation Level: Impersonation
10347.  
10348. New Logon:
10349. Security ID: SYSTEM
10350. Account Name: SYSTEM
10351. Account Domain: NT AUTHORITY
10352. Logon ID: 0x3E7
10353. Linked Logon ID: 0x0
10354. Network Account Name: -
10355. Network Account Domain: -
10356. Logon GUID: {00000000-0000-0000-0000-000000000000}
10357.  
10358. Process Information:
10359. Process ID: 0x2f0
10360. Process Name: C:\Windows\System32\services.exe
10361.  
10362. Network Information:
10363. Workstation Name: -
10364. Source Network Address: -
10365. Source Port: -
10366.  
10367. Detailed Authentication Information:
10368. Logon Process: Advapi
10369. Authentication Package: Negotiate
10370. Transited Services: -
10371. Package Name (NTLM only): -
10372. Key Length: 0
10373.  
10374. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10375.  
10376. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10377.  
10378. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10379.  
10380. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10381.  
10382. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10383.  
10384. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10385.  
10386. The authentication information fields provide detailed information about this specific logon request.
10387. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10388. - Transited services indicate which intermediate services have participated in this logon request.
10389. - Package name indicates which sub-protocol was used among the NTLM protocols.
10390. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10391. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10392.  
10393. Subject:
10394. Security ID: SYSTEM
10395. Account Name: SYSTEM
10396. Account Domain: NT AUTHORITY
10397. Logon ID: 0x3E7
10398.  
10399. Privileges: SeAssignPrimaryTokenPrivilege
10400. SeTcbPrivilege
10401. SeSecurityPrivilege
10402. SeTakeOwnershipPrivilege
10403. SeLoadDriverPrivilege
10404. SeBackupPrivilege
10405. SeRestorePrivilege
10406. SeDebugPrivilege
10407. SeAuditPrivilege
10408. SeSystemEnvironmentPrivilege
10409. SeImpersonatePrivilege
10410. SeDelegateSessionUserImpersonatePrivilege"
10411. Audit Success 5/2/2017 4:38:54 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10412.  
10413. Subject:
10414. Security ID: SYSTEM
10415. Account Name: DESKTOP-TM5QNT2$
10416. Account Domain: WORKGROUP
10417. Logon ID: 0x3E7
10418.  
10419. Logon Information:
10420. Logon Type: 5
10421. Restricted Admin Mode: -
10422. Virtual Account: No
10423. Elevated Token: Yes
10424.  
10425. Impersonation Level: Impersonation
10426.  
10427. New Logon:
10428. Security ID: SYSTEM
10429. Account Name: SYSTEM
10430. Account Domain: NT AUTHORITY
10431. Logon ID: 0x3E7
10432. Linked Logon ID: 0x0
10433. Network Account Name: -
10434. Network Account Domain: -
10435. Logon GUID: {00000000-0000-0000-0000-000000000000}
10436.  
10437. Process Information:
10438. Process ID: 0x2f0
10439. Process Name: C:\Windows\System32\services.exe
10440.  
10441. Network Information:
10442. Workstation Name: -
10443. Source Network Address: -
10444. Source Port: -
10445.  
10446. Detailed Authentication Information:
10447. Logon Process: Advapi
10448. Authentication Package: Negotiate
10449. Transited Services: -
10450. Package Name (NTLM only): -
10451. Key Length: 0
10452.  
10453. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10454.  
10455. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10456.  
10457. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10458.  
10459. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10460.  
10461. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10462.  
10463. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10464.  
10465. The authentication information fields provide detailed information about this specific logon request.
10466. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10467. - Transited services indicate which intermediate services have participated in this logon request.
10468. - Package name indicates which sub-protocol was used among the NTLM protocols.
10469. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10470. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10471.  
10472. Subject:
10473. Security ID: SYSTEM
10474. Account Name: SYSTEM
10475. Account Domain: NT AUTHORITY
10476. Logon ID: 0x3E7
10477.  
10478. Privileges: SeAssignPrimaryTokenPrivilege
10479. SeTcbPrivilege
10480. SeSecurityPrivilege
10481. SeTakeOwnershipPrivilege
10482. SeLoadDriverPrivilege
10483. SeBackupPrivilege
10484. SeRestorePrivilege
10485. SeDebugPrivilege
10486. SeAuditPrivilege
10487. SeSystemEnvironmentPrivilege
10488. SeImpersonatePrivilege
10489. SeDelegateSessionUserImpersonatePrivilege"
10490. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10491.  
10492. Subject:
10493. Security ID: SYSTEM
10494. Account Name: DESKTOP-TM5QNT2$
10495. Account Domain: WORKGROUP
10496. Logon ID: 0x3E7
10497.  
10498. Logon Information:
10499. Logon Type: 5
10500. Restricted Admin Mode: -
10501. Virtual Account: No
10502. Elevated Token: Yes
10503.  
10504. Impersonation Level: Impersonation
10505.  
10506. New Logon:
10507. Security ID: SYSTEM
10508. Account Name: SYSTEM
10509. Account Domain: NT AUTHORITY
10510. Logon ID: 0x3E7
10511. Linked Logon ID: 0x0
10512. Network Account Name: -
10513. Network Account Domain: -
10514. Logon GUID: {00000000-0000-0000-0000-000000000000}
10515.  
10516. Process Information:
10517. Process ID: 0x2f0
10518. Process Name: C:\Windows\System32\services.exe
10519.  
10520. Network Information:
10521. Workstation Name: -
10522. Source Network Address: -
10523. Source Port: -
10524.  
10525. Detailed Authentication Information:
10526. Logon Process: Advapi
10527. Authentication Package: Negotiate
10528. Transited Services: -
10529. Package Name (NTLM only): -
10530. Key Length: 0
10531.  
10532. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10533.  
10534. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10535.  
10536. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10537.  
10538. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10539.  
10540. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10541.  
10542. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10543.  
10544. The authentication information fields provide detailed information about this specific logon request.
10545. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10546. - Transited services indicate which intermediate services have participated in this logon request.
10547. - Package name indicates which sub-protocol was used among the NTLM protocols.
10548. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10549. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10550.  
10551. Subject:
10552. Security ID: SYSTEM
10553. Account Name: SYSTEM
10554. Account Domain: NT AUTHORITY
10555. Logon ID: 0x3E7
10556.  
10557. Privileges: SeAssignPrimaryTokenPrivilege
10558. SeTcbPrivilege
10559. SeSecurityPrivilege
10560. SeTakeOwnershipPrivilege
10561. SeLoadDriverPrivilege
10562. SeBackupPrivilege
10563. SeRestorePrivilege
10564. SeDebugPrivilege
10565. SeAuditPrivilege
10566. SeSystemEnvironmentPrivilege
10567. SeImpersonatePrivilege
10568. SeDelegateSessionUserImpersonatePrivilege"
10569. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10570.  
10571. Subject:
10572. Security ID: SYSTEM
10573. Account Name: DESKTOP-TM5QNT2$
10574. Account Domain: WORKGROUP
10575. Logon ID: 0x3E7
10576.  
10577. Logon Information:
10578. Logon Type: 5
10579. Restricted Admin Mode: -
10580. Virtual Account: No
10581. Elevated Token: Yes
10582.  
10583. Impersonation Level: Impersonation
10584.  
10585. New Logon:
10586. Security ID: SYSTEM
10587. Account Name: SYSTEM
10588. Account Domain: NT AUTHORITY
10589. Logon ID: 0x3E7
10590. Linked Logon ID: 0x0
10591. Network Account Name: -
10592. Network Account Domain: -
10593. Logon GUID: {00000000-0000-0000-0000-000000000000}
10594.  
10595. Process Information:
10596. Process ID: 0x2f0
10597. Process Name: C:\Windows\System32\services.exe
10598.  
10599. Network Information:
10600. Workstation Name: -
10601. Source Network Address: -
10602. Source Port: -
10603.  
10604. Detailed Authentication Information:
10605. Logon Process: Advapi
10606. Authentication Package: Negotiate
10607. Transited Services: -
10608. Package Name (NTLM only): -
10609. Key Length: 0
10610.  
10611. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10612.  
10613. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10614.  
10615. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10616.  
10617. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10618.  
10619. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10620.  
10621. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10622.  
10623. The authentication information fields provide detailed information about this specific logon request.
10624. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10625. - Transited services indicate which intermediate services have participated in this logon request.
10626. - Package name indicates which sub-protocol was used among the NTLM protocols.
10627. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10628. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10629.  
10630. Subject:
10631. Security ID: SYSTEM
10632. Account Name: SYSTEM
10633. Account Domain: NT AUTHORITY
10634. Logon ID: 0x3E7
10635.  
10636. Privileges: SeAssignPrimaryTokenPrivilege
10637. SeTcbPrivilege
10638. SeSecurityPrivilege
10639. SeTakeOwnershipPrivilege
10640. SeLoadDriverPrivilege
10641. SeBackupPrivilege
10642. SeRestorePrivilege
10643. SeDebugPrivilege
10644. SeAuditPrivilege
10645. SeSystemEnvironmentPrivilege
10646. SeImpersonatePrivilege
10647. SeDelegateSessionUserImpersonatePrivilege"
10648. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10649.  
10650. Subject:
10651. Security ID: SYSTEM
10652. Account Name: DESKTOP-TM5QNT2$
10653. Account Domain: WORKGROUP
10654. Logon ID: 0x3E7
10655.  
10656. Logon Information:
10657. Logon Type: 5
10658. Restricted Admin Mode: -
10659. Virtual Account: No
10660. Elevated Token: Yes
10661.  
10662. Impersonation Level: Impersonation
10663.  
10664. New Logon:
10665. Security ID: SYSTEM
10666. Account Name: SYSTEM
10667. Account Domain: NT AUTHORITY
10668. Logon ID: 0x3E7
10669. Linked Logon ID: 0x0
10670. Network Account Name: -
10671. Network Account Domain: -
10672. Logon GUID: {00000000-0000-0000-0000-000000000000}
10673.  
10674. Process Information:
10675. Process ID: 0x2f0
10676. Process Name: C:\Windows\System32\services.exe
10677.  
10678. Network Information:
10679. Workstation Name: -
10680. Source Network Address: -
10681. Source Port: -
10682.  
10683. Detailed Authentication Information:
10684. Logon Process: Advapi
10685. Authentication Package: Negotiate
10686. Transited Services: -
10687. Package Name (NTLM only): -
10688. Key Length: 0
10689.  
10690. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10691.  
10692. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10693.  
10694. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10695.  
10696. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10697.  
10698. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10699.  
10700. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10701.  
10702. The authentication information fields provide detailed information about this specific logon request.
10703. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10704. - Transited services indicate which intermediate services have participated in this logon request.
10705. - Package name indicates which sub-protocol was used among the NTLM protocols.
10706. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10707. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10708.  
10709. Subject:
10710. Security ID: SYSTEM
10711. Account Name: SYSTEM
10712. Account Domain: NT AUTHORITY
10713. Logon ID: 0x3E7
10714.  
10715. Privileges: SeAssignPrimaryTokenPrivilege
10716. SeTcbPrivilege
10717. SeSecurityPrivilege
10718. SeTakeOwnershipPrivilege
10719. SeLoadDriverPrivilege
10720. SeBackupPrivilege
10721. SeRestorePrivilege
10722. SeDebugPrivilege
10723. SeAuditPrivilege
10724. SeSystemEnvironmentPrivilege
10725. SeImpersonatePrivilege
10726. SeDelegateSessionUserImpersonatePrivilege"
10727. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10728.  
10729. Subject:
10730. Security ID: SYSTEM
10731. Account Name: DESKTOP-TM5QNT2$
10732. Account Domain: WORKGROUP
10733. Logon ID: 0x3E7
10734.  
10735. Logon Information:
10736. Logon Type: 5
10737. Restricted Admin Mode: -
10738. Virtual Account: No
10739. Elevated Token: Yes
10740.  
10741. Impersonation Level: Impersonation
10742.  
10743. New Logon:
10744. Security ID: SYSTEM
10745. Account Name: SYSTEM
10746. Account Domain: NT AUTHORITY
10747. Logon ID: 0x3E7
10748. Linked Logon ID: 0x0
10749. Network Account Name: -
10750. Network Account Domain: -
10751. Logon GUID: {00000000-0000-0000-0000-000000000000}
10752.  
10753. Process Information:
10754. Process ID: 0x2f0
10755. Process Name: C:\Windows\System32\services.exe
10756.  
10757. Network Information:
10758. Workstation Name: -
10759. Source Network Address: -
10760. Source Port: -
10761.  
10762. Detailed Authentication Information:
10763. Logon Process: Advapi
10764. Authentication Package: Negotiate
10765. Transited Services: -
10766. Package Name (NTLM only): -
10767. Key Length: 0
10768.  
10769. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10770.  
10771. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10772.  
10773. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10774.  
10775. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10776.  
10777. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10778.  
10779. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10780.  
10781. The authentication information fields provide detailed information about this specific logon request.
10782. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10783. - Transited services indicate which intermediate services have participated in this logon request.
10784. - Package name indicates which sub-protocol was used among the NTLM protocols.
10785. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10786. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10787.  
10788. Subject:
10789. Security ID: SYSTEM
10790. Account Name: SYSTEM
10791. Account Domain: NT AUTHORITY
10792. Logon ID: 0x3E7
10793.  
10794. Privileges: SeAssignPrimaryTokenPrivilege
10795. SeTcbPrivilege
10796. SeSecurityPrivilege
10797. SeTakeOwnershipPrivilege
10798. SeLoadDriverPrivilege
10799. SeBackupPrivilege
10800. SeRestorePrivilege
10801. SeDebugPrivilege
10802. SeAuditPrivilege
10803. SeSystemEnvironmentPrivilege
10804. SeImpersonatePrivilege
10805. SeDelegateSessionUserImpersonatePrivilege"
10806. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10807.  
10808. Subject:
10809. Security ID: SYSTEM
10810. Account Name: DESKTOP-TM5QNT2$
10811. Account Domain: WORKGROUP
10812. Logon ID: 0x3E7
10813.  
10814. Logon Information:
10815. Logon Type: 5
10816. Restricted Admin Mode: -
10817. Virtual Account: No
10818. Elevated Token: Yes
10819.  
10820. Impersonation Level: Impersonation
10821.  
10822. New Logon:
10823. Security ID: SYSTEM
10824. Account Name: SYSTEM
10825. Account Domain: NT AUTHORITY
10826. Logon ID: 0x3E7
10827. Linked Logon ID: 0x0
10828. Network Account Name: -
10829. Network Account Domain: -
10830. Logon GUID: {00000000-0000-0000-0000-000000000000}
10831.  
10832. Process Information:
10833. Process ID: 0x2f0
10834. Process Name: C:\Windows\System32\services.exe
10835.  
10836. Network Information:
10837. Workstation Name: -
10838. Source Network Address: -
10839. Source Port: -
10840.  
10841. Detailed Authentication Information:
10842. Logon Process: Advapi
10843. Authentication Package: Negotiate
10844. Transited Services: -
10845. Package Name (NTLM only): -
10846. Key Length: 0
10847.  
10848. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10849.  
10850. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10851.  
10852. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10853.  
10854. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10855.  
10856. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10857.  
10858. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10859.  
10860. The authentication information fields provide detailed information about this specific logon request.
10861. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10862. - Transited services indicate which intermediate services have participated in this logon request.
10863. - Package name indicates which sub-protocol was used among the NTLM protocols.
10864. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10865. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10866.  
10867. Subject:
10868. Security ID: SYSTEM
10869. Account Name: SYSTEM
10870. Account Domain: NT AUTHORITY
10871. Logon ID: 0x3E7
10872.  
10873. Privileges: SeAssignPrimaryTokenPrivilege
10874. SeTcbPrivilege
10875. SeSecurityPrivilege
10876. SeTakeOwnershipPrivilege
10877. SeLoadDriverPrivilege
10878. SeBackupPrivilege
10879. SeRestorePrivilege
10880. SeDebugPrivilege
10881. SeAuditPrivilege
10882. SeSystemEnvironmentPrivilege
10883. SeImpersonatePrivilege
10884. SeDelegateSessionUserImpersonatePrivilege"
10885. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10886.  
10887. Subject:
10888. Security ID: SYSTEM
10889. Account Name: DESKTOP-TM5QNT2$
10890. Account Domain: WORKGROUP
10891. Logon ID: 0x3E7
10892.  
10893. Logon Information:
10894. Logon Type: 5
10895. Restricted Admin Mode: -
10896. Virtual Account: No
10897. Elevated Token: Yes
10898.  
10899. Impersonation Level: Impersonation
10900.  
10901. New Logon:
10902. Security ID: SYSTEM
10903. Account Name: SYSTEM
10904. Account Domain: NT AUTHORITY
10905. Logon ID: 0x3E7
10906. Linked Logon ID: 0x0
10907. Network Account Name: -
10908. Network Account Domain: -
10909. Logon GUID: {00000000-0000-0000-0000-000000000000}
10910.  
10911. Process Information:
10912. Process ID: 0x2f0
10913. Process Name: C:\Windows\System32\services.exe
10914.  
10915. Network Information:
10916. Workstation Name: -
10917. Source Network Address: -
10918. Source Port: -
10919.  
10920. Detailed Authentication Information:
10921. Logon Process: Advapi
10922. Authentication Package: Negotiate
10923. Transited Services: -
10924. Package Name (NTLM only): -
10925. Key Length: 0
10926.  
10927. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10928.  
10929. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
10930.  
10931. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
10932.  
10933. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
10934.  
10935. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
10936.  
10937. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
10938.  
10939. The authentication information fields provide detailed information about this specific logon request.
10940. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
10941. - Transited services indicate which intermediate services have participated in this logon request.
10942. - Package name indicates which sub-protocol was used among the NTLM protocols.
10943. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
10944. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
10945.  
10946. Subject:
10947. Security ID: LOCAL SERVICE
10948. Account Name: LOCAL SERVICE
10949. Account Domain: NT AUTHORITY
10950. Logon ID: 0x3E5
10951.  
10952. Privileges: SeAssignPrimaryTokenPrivilege
10953. SeAuditPrivilege
10954. SeImpersonatePrivilege"
10955. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
10956.  
10957. Subject:
10958. Security ID: SYSTEM
10959. Account Name: DESKTOP-TM5QNT2$
10960. Account Domain: WORKGROUP
10961. Logon ID: 0x3E7
10962.  
10963. Logon Information:
10964. Logon Type: 5
10965. Restricted Admin Mode: -
10966. Virtual Account: No
10967. Elevated Token: Yes
10968.  
10969. Impersonation Level: Impersonation
10970.  
10971. New Logon:
10972. Security ID: LOCAL SERVICE
10973. Account Name: LOCAL SERVICE
10974. Account Domain: NT AUTHORITY
10975. Logon ID: 0x3E5
10976. Linked Logon ID: 0x0
10977. Network Account Name: -
10978. Network Account Domain: -
10979. Logon GUID: {00000000-0000-0000-0000-000000000000}
10980.  
10981. Process Information:
10982. Process ID: 0x2f0
10983. Process Name: C:\Windows\System32\services.exe
10984.  
10985. Network Information:
10986. Workstation Name: -
10987. Source Network Address: -
10988. Source Port: -
10989.  
10990. Detailed Authentication Information:
10991. Logon Process: Advapi
10992. Authentication Package: Negotiate
10993. Transited Services: -
10994. Package Name (NTLM only): -
10995. Key Length: 0
10996.  
10997. This event is generated when a logon session is created. It is generated on the computer that was accessed.
10998.  
10999. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11000.  
11001. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11002.  
11003. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11004.  
11005. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11006.  
11007. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11008.  
11009. The authentication information fields provide detailed information about this specific logon request.
11010. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11011. - Transited services indicate which intermediate services have participated in this logon request.
11012. - Package name indicates which sub-protocol was used among the NTLM protocols.
11013. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11014. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11015.  
11016. Subject:
11017. Security ID: SYSTEM
11018. Account Name: SYSTEM
11019. Account Domain: NT AUTHORITY
11020. Logon ID: 0x3E7
11021.  
11022. Privileges: SeAssignPrimaryTokenPrivilege
11023. SeTcbPrivilege
11024. SeSecurityPrivilege
11025. SeTakeOwnershipPrivilege
11026. SeLoadDriverPrivilege
11027. SeBackupPrivilege
11028. SeRestorePrivilege
11029. SeDebugPrivilege
11030. SeAuditPrivilege
11031. SeSystemEnvironmentPrivilege
11032. SeImpersonatePrivilege
11033. SeDelegateSessionUserImpersonatePrivilege"
11034. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11035.  
11036. Subject:
11037. Security ID: SYSTEM
11038. Account Name: DESKTOP-TM5QNT2$
11039. Account Domain: WORKGROUP
11040. Logon ID: 0x3E7
11041.  
11042. Logon Information:
11043. Logon Type: 5
11044. Restricted Admin Mode: -
11045. Virtual Account: No
11046. Elevated Token: Yes
11047.  
11048. Impersonation Level: Impersonation
11049.  
11050. New Logon:
11051. Security ID: SYSTEM
11052. Account Name: SYSTEM
11053. Account Domain: NT AUTHORITY
11054. Logon ID: 0x3E7
11055. Linked Logon ID: 0x0
11056. Network Account Name: -
11057. Network Account Domain: -
11058. Logon GUID: {00000000-0000-0000-0000-000000000000}
11059.  
11060. Process Information:
11061. Process ID: 0x2f0
11062. Process Name: C:\Windows\System32\services.exe
11063.  
11064. Network Information:
11065. Workstation Name: -
11066. Source Network Address: -
11067. Source Port: -
11068.  
11069. Detailed Authentication Information:
11070. Logon Process: Advapi
11071. Authentication Package: Negotiate
11072. Transited Services: -
11073. Package Name (NTLM only): -
11074. Key Length: 0
11075.  
11076. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11077.  
11078. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11079.  
11080. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11081.  
11082. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11083.  
11084. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11085.  
11086. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11087.  
11088. The authentication information fields provide detailed information about this specific logon request.
11089. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11090. - Transited services indicate which intermediate services have participated in this logon request.
11091. - Package name indicates which sub-protocol was used among the NTLM protocols.
11092. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11093. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11094.  
11095. Subject:
11096. Security ID: SYSTEM
11097. Account Name: SYSTEM
11098. Account Domain: NT AUTHORITY
11099. Logon ID: 0x3E7
11100.  
11101. Privileges: SeAssignPrimaryTokenPrivilege
11102. SeTcbPrivilege
11103. SeSecurityPrivilege
11104. SeTakeOwnershipPrivilege
11105. SeLoadDriverPrivilege
11106. SeBackupPrivilege
11107. SeRestorePrivilege
11108. SeDebugPrivilege
11109. SeAuditPrivilege
11110. SeSystemEnvironmentPrivilege
11111. SeImpersonatePrivilege
11112. SeDelegateSessionUserImpersonatePrivilege"
11113. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11114.  
11115. Subject:
11116. Security ID: SYSTEM
11117. Account Name: DESKTOP-TM5QNT2$
11118. Account Domain: WORKGROUP
11119. Logon ID: 0x3E7
11120.  
11121. Logon Information:
11122. Logon Type: 5
11123. Restricted Admin Mode: -
11124. Virtual Account: No
11125. Elevated Token: Yes
11126.  
11127. Impersonation Level: Impersonation
11128.  
11129. New Logon:
11130. Security ID: SYSTEM
11131. Account Name: SYSTEM
11132. Account Domain: NT AUTHORITY
11133. Logon ID: 0x3E7
11134. Linked Logon ID: 0x0
11135. Network Account Name: -
11136. Network Account Domain: -
11137. Logon GUID: {00000000-0000-0000-0000-000000000000}
11138.  
11139. Process Information:
11140. Process ID: 0x2f0
11141. Process Name: C:\Windows\System32\services.exe
11142.  
11143. Network Information:
11144. Workstation Name: -
11145. Source Network Address: -
11146. Source Port: -
11147.  
11148. Detailed Authentication Information:
11149. Logon Process: Advapi
11150. Authentication Package: Negotiate
11151. Transited Services: -
11152. Package Name (NTLM only): -
11153. Key Length: 0
11154.  
11155. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11156.  
11157. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11158.  
11159. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11160.  
11161. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11162.  
11163. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11164.  
11165. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11166.  
11167. The authentication information fields provide detailed information about this specific logon request.
11168. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11169. - Transited services indicate which intermediate services have participated in this logon request.
11170. - Package name indicates which sub-protocol was used among the NTLM protocols.
11171. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11172. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11173.  
11174. Subject:
11175. Security ID: Window Manager\DWM-1
11176. Account Name: DWM-1
11177. Account Domain: Window Manager
11178. Logon ID: 0x107FA
11179.  
11180. Privileges: SeAssignPrimaryTokenPrivilege
11181. SeAuditPrivilege"
11182. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11183.  
11184. Subject:
11185. Security ID: Window Manager\DWM-1
11186. Account Name: DWM-1
11187. Account Domain: Window Manager
11188. Logon ID: 0x107C1
11189.  
11190. Privileges: SeAssignPrimaryTokenPrivilege
11191. SeAuditPrivilege
11192. SeImpersonatePrivilege"
11193. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11194.  
11195. Subject:
11196. Security ID: SYSTEM
11197. Account Name: DESKTOP-TM5QNT2$
11198. Account Domain: WORKGROUP
11199. Logon ID: 0x3E7
11200.  
11201. Logon Information:
11202. Logon Type: 2
11203. Restricted Admin Mode: -
11204. Virtual Account: Yes
11205. Elevated Token: No
11206.  
11207. Impersonation Level: Impersonation
11208.  
11209. New Logon:
11210. Security ID: Window Manager\DWM-1
11211. Account Name: DWM-1
11212. Account Domain: Window Manager
11213. Logon ID: 0x107FA
11214. Linked Logon ID: 0x107C1
11215. Network Account Name: -
11216. Network Account Domain: -
11217. Logon GUID: {00000000-0000-0000-0000-000000000000}
11218.  
11219. Process Information:
11220. Process ID: 0x224
11221. Process Name: C:\Windows\System32\winlogon.exe
11222.  
11223. Network Information:
11224. Workstation Name: -
11225. Source Network Address: -
11226. Source Port: -
11227.  
11228. Detailed Authentication Information:
11229. Logon Process: Advapi
11230. Authentication Package: Negotiate
11231. Transited Services: -
11232. Package Name (NTLM only): -
11233. Key Length: 0
11234.  
11235. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11236.  
11237. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11238.  
11239. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11240.  
11241. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11242.  
11243. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11244.  
11245. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11246.  
11247. The authentication information fields provide detailed information about this specific logon request.
11248. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11249. - Transited services indicate which intermediate services have participated in this logon request.
11250. - Package name indicates which sub-protocol was used among the NTLM protocols.
11251. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11252. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11253.  
11254. Subject:
11255. Security ID: SYSTEM
11256. Account Name: DESKTOP-TM5QNT2$
11257. Account Domain: WORKGROUP
11258. Logon ID: 0x3E7
11259.  
11260. Logon Information:
11261. Logon Type: 2
11262. Restricted Admin Mode: -
11263. Virtual Account: Yes
11264. Elevated Token: Yes
11265.  
11266. Impersonation Level: Impersonation
11267.  
11268. New Logon:
11269. Security ID: Window Manager\DWM-1
11270. Account Name: DWM-1
11271. Account Domain: Window Manager
11272. Logon ID: 0x107C1
11273. Linked Logon ID: 0x107FA
11274. Network Account Name: -
11275. Network Account Domain: -
11276. Logon GUID: {00000000-0000-0000-0000-000000000000}
11277.  
11278. Process Information:
11279. Process ID: 0x224
11280. Process Name: C:\Windows\System32\winlogon.exe
11281.  
11282. Network Information:
11283. Workstation Name: -
11284. Source Network Address: -
11285. Source Port: -
11286.  
11287. Detailed Authentication Information:
11288. Logon Process: Advapi
11289. Authentication Package: Negotiate
11290. Transited Services: -
11291. Package Name (NTLM only): -
11292. Key Length: 0
11293.  
11294. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11295.  
11296. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11297.  
11298. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11299.  
11300. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11301.  
11302. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11303.  
11304. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11305.  
11306. The authentication information fields provide detailed information about this specific logon request.
11307. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11308. - Transited services indicate which intermediate services have participated in this logon request.
11309. - Package name indicates which sub-protocol was used among the NTLM protocols.
11310. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11311. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
11312.  
11313. Subject:
11314. Security ID: SYSTEM
11315. Account Name: DESKTOP-TM5QNT2$
11316. Account Domain: WORKGROUP
11317. Logon ID: 0x3E7
11318. Logon GUID: {00000000-0000-0000-0000-000000000000}
11319.  
11320. Account Whose Credentials Were Used:
11321. Account Name: DWM-1
11322. Account Domain: Window Manager
11323. Logon GUID: {00000000-0000-0000-0000-000000000000}
11324.  
11325. Target Server:
11326. Target Server Name: localhost
11327. Additional Information: localhost
11328.  
11329. Process Information:
11330. Process ID: 0x224
11331. Process Name: C:\Windows\System32\winlogon.exe
11332.  
11333. Network Information:
11334. Network Address: -
11335. Port: -
11336.  
11337. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
11338. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11339.  
11340. Subject:
11341. Security ID: SYSTEM
11342. Account Name: SYSTEM
11343. Account Domain: NT AUTHORITY
11344. Logon ID: 0x3E7
11345.  
11346. Privileges: SeAssignPrimaryTokenPrivilege
11347. SeTcbPrivilege
11348. SeSecurityPrivilege
11349. SeTakeOwnershipPrivilege
11350. SeLoadDriverPrivilege
11351. SeBackupPrivilege
11352. SeRestorePrivilege
11353. SeDebugPrivilege
11354. SeAuditPrivilege
11355. SeSystemEnvironmentPrivilege
11356. SeImpersonatePrivilege
11357. SeDelegateSessionUserImpersonatePrivilege"
11358. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11359.  
11360. Subject:
11361. Security ID: SYSTEM
11362. Account Name: DESKTOP-TM5QNT2$
11363. Account Domain: WORKGROUP
11364. Logon ID: 0x3E7
11365.  
11366. Logon Information:
11367. Logon Type: 5
11368. Restricted Admin Mode: -
11369. Virtual Account: No
11370. Elevated Token: Yes
11371.  
11372. Impersonation Level: Impersonation
11373.  
11374. New Logon:
11375. Security ID: SYSTEM
11376. Account Name: SYSTEM
11377. Account Domain: NT AUTHORITY
11378. Logon ID: 0x3E7
11379. Linked Logon ID: 0x0
11380. Network Account Name: -
11381. Network Account Domain: -
11382. Logon GUID: {00000000-0000-0000-0000-000000000000}
11383.  
11384. Process Information:
11385. Process ID: 0x2f0
11386. Process Name: C:\Windows\System32\services.exe
11387.  
11388. Network Information:
11389. Workstation Name: -
11390. Source Network Address: -
11391. Source Port: -
11392.  
11393. Detailed Authentication Information:
11394. Logon Process: Advapi
11395. Authentication Package: Negotiate
11396. Transited Services: -
11397. Package Name (NTLM only): -
11398. Key Length: 0
11399.  
11400. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11401.  
11402. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11403.  
11404. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11405.  
11406. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11407.  
11408. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11409.  
11410. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11411.  
11412. The authentication information fields provide detailed information about this specific logon request.
11413. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11414. - Transited services indicate which intermediate services have participated in this logon request.
11415. - Package name indicates which sub-protocol was used among the NTLM protocols.
11416. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11417. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11418.  
11419. Subject:
11420. Security ID: SYSTEM
11421. Account Name: DESKTOP-TM5QNT2$
11422. Account Domain: WORKGROUP
11423. Logon ID: 0x3E7
11424.  
11425. Logon Information:
11426. Logon Type: 2
11427. Restricted Admin Mode: -
11428. Virtual Account: Yes
11429. Elevated Token: No
11430.  
11431. Impersonation Level: Impersonation
11432.  
11433. New Logon:
11434. Security ID: Font Driver Host\UMFD-1
11435. Account Name: UMFD-1
11436. Account Domain: Font Driver Host
11437. Logon ID: 0xF7D3
11438. Linked Logon ID: 0x0
11439. Network Account Name: -
11440. Network Account Domain: -
11441. Logon GUID: {00000000-0000-0000-0000-000000000000}
11442.  
11443. Process Information:
11444. Process ID: 0x224
11445. Process Name: C:\Windows\System32\winlogon.exe
11446.  
11447. Network Information:
11448. Workstation Name: -
11449. Source Network Address: -
11450. Source Port: -
11451.  
11452. Detailed Authentication Information:
11453. Logon Process: Advapi
11454. Authentication Package: Negotiate
11455. Transited Services: -
11456. Package Name (NTLM only): -
11457. Key Length: 0
11458.  
11459. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11460.  
11461. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11462.  
11463. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11464.  
11465. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11466.  
11467. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11468.  
11469. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11470.  
11471. The authentication information fields provide detailed information about this specific logon request.
11472. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11473. - Transited services indicate which intermediate services have participated in this logon request.
11474. - Package name indicates which sub-protocol was used among the NTLM protocols.
11475. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11476. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
11477.  
11478. Subject:
11479. Security ID: SYSTEM
11480. Account Name: DESKTOP-TM5QNT2$
11481. Account Domain: WORKGROUP
11482. Logon ID: 0x3E7
11483. Logon GUID: {00000000-0000-0000-0000-000000000000}
11484.  
11485. Account Whose Credentials Were Used:
11486. Account Name: UMFD-1
11487. Account Domain: Font Driver Host
11488. Logon GUID: {00000000-0000-0000-0000-000000000000}
11489.  
11490. Target Server:
11491. Target Server Name: localhost
11492. Additional Information: localhost
11493.  
11494. Process Information:
11495. Process ID: 0x224
11496. Process Name: C:\Windows\System32\winlogon.exe
11497.  
11498. Network Information:
11499. Network Address: -
11500. Port: -
11501.  
11502. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
11503. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11504.  
11505. Subject:
11506. Security ID: SYSTEM
11507. Account Name: SYSTEM
11508. Account Domain: NT AUTHORITY
11509. Logon ID: 0x3E7
11510.  
11511. Privileges: SeAssignPrimaryTokenPrivilege
11512. SeTcbPrivilege
11513. SeSecurityPrivilege
11514. SeTakeOwnershipPrivilege
11515. SeLoadDriverPrivilege
11516. SeBackupPrivilege
11517. SeRestorePrivilege
11518. SeDebugPrivilege
11519. SeAuditPrivilege
11520. SeSystemEnvironmentPrivilege
11521. SeImpersonatePrivilege
11522. SeDelegateSessionUserImpersonatePrivilege"
11523. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11524.  
11525. Subject:
11526. Security ID: SYSTEM
11527. Account Name: DESKTOP-TM5QNT2$
11528. Account Domain: WORKGROUP
11529. Logon ID: 0x3E7
11530.  
11531. Logon Information:
11532. Logon Type: 5
11533. Restricted Admin Mode: -
11534. Virtual Account: No
11535. Elevated Token: Yes
11536.  
11537. Impersonation Level: Impersonation
11538.  
11539. New Logon:
11540. Security ID: SYSTEM
11541. Account Name: SYSTEM
11542. Account Domain: NT AUTHORITY
11543. Logon ID: 0x3E7
11544. Linked Logon ID: 0x0
11545. Network Account Name: -
11546. Network Account Domain: -
11547. Logon GUID: {00000000-0000-0000-0000-000000000000}
11548.  
11549. Process Information:
11550. Process ID: 0x2f0
11551. Process Name: C:\Windows\System32\services.exe
11552.  
11553. Network Information:
11554. Workstation Name: -
11555. Source Network Address: -
11556. Source Port: -
11557.  
11558. Detailed Authentication Information:
11559. Logon Process: Advapi
11560. Authentication Package: Negotiate
11561. Transited Services: -
11562. Package Name (NTLM only): -
11563. Key Length: 0
11564.  
11565. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11566.  
11567. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11568.  
11569. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11570.  
11571. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11572.  
11573. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11574.  
11575. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11576.  
11577. The authentication information fields provide detailed information about this specific logon request.
11578. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11579. - Transited services indicate which intermediate services have participated in this logon request.
11580. - Package name indicates which sub-protocol was used among the NTLM protocols.
11581. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11582. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11583.  
11584. Subject:
11585. Security ID: NETWORK SERVICE
11586. Account Name: NETWORK SERVICE
11587. Account Domain: NT AUTHORITY
11588. Logon ID: 0x3E4
11589.  
11590. Privileges: SeAssignPrimaryTokenPrivilege
11591. SeAuditPrivilege
11592. SeImpersonatePrivilege"
11593. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11594.  
11595. Subject:
11596. Security ID: SYSTEM
11597. Account Name: DESKTOP-TM5QNT2$
11598. Account Domain: WORKGROUP
11599. Logon ID: 0x3E7
11600.  
11601. Logon Information:
11602. Logon Type: 5
11603. Restricted Admin Mode: -
11604. Virtual Account: No
11605. Elevated Token: Yes
11606.  
11607. Impersonation Level: Impersonation
11608.  
11609. New Logon:
11610. Security ID: NETWORK SERVICE
11611. Account Name: NETWORK SERVICE
11612. Account Domain: NT AUTHORITY
11613. Logon ID: 0x3E4
11614. Linked Logon ID: 0x0
11615. Network Account Name: -
11616. Network Account Domain: -
11617. Logon GUID: {00000000-0000-0000-0000-000000000000}
11618.  
11619. Process Information:
11620. Process ID: 0x2f0
11621. Process Name: C:\Windows\System32\services.exe
11622.  
11623. Network Information:
11624. Workstation Name: -
11625. Source Network Address: -
11626. Source Port: -
11627.  
11628. Detailed Authentication Information:
11629. Logon Process: Advapi
11630. Authentication Package: Negotiate
11631. Transited Services: -
11632. Package Name (NTLM only): -
11633. Key Length: 0
11634.  
11635. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11636.  
11637. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11638.  
11639. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11640.  
11641. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11642.  
11643. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11644.  
11645. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11646.  
11647. The authentication information fields provide detailed information about this specific logon request.
11648. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11649. - Transited services indicate which intermediate services have participated in this logon request.
11650. - Package name indicates which sub-protocol was used among the NTLM protocols.
11651. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11652. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11653.  
11654. Subject:
11655. Security ID: SYSTEM
11656. Account Name: SYSTEM
11657. Account Domain: NT AUTHORITY
11658. Logon ID: 0x3E7
11659.  
11660. Privileges: SeAssignPrimaryTokenPrivilege
11661. SeTcbPrivilege
11662. SeSecurityPrivilege
11663. SeTakeOwnershipPrivilege
11664. SeLoadDriverPrivilege
11665. SeBackupPrivilege
11666. SeRestorePrivilege
11667. SeDebugPrivilege
11668. SeAuditPrivilege
11669. SeSystemEnvironmentPrivilege
11670. SeImpersonatePrivilege
11671. SeDelegateSessionUserImpersonatePrivilege"
11672. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11673.  
11674. Subject:
11675. Security ID: SYSTEM
11676. Account Name: DESKTOP-TM5QNT2$
11677. Account Domain: WORKGROUP
11678. Logon ID: 0x3E7
11679.  
11680. Logon Information:
11681. Logon Type: 5
11682. Restricted Admin Mode: -
11683. Virtual Account: No
11684. Elevated Token: Yes
11685.  
11686. Impersonation Level: Impersonation
11687.  
11688. New Logon:
11689. Security ID: SYSTEM
11690. Account Name: SYSTEM
11691. Account Domain: NT AUTHORITY
11692. Logon ID: 0x3E7
11693. Linked Logon ID: 0x0
11694. Network Account Name: -
11695. Network Account Domain: -
11696. Logon GUID: {00000000-0000-0000-0000-000000000000}
11697.  
11698. Process Information:
11699. Process ID: 0x2f0
11700. Process Name: C:\Windows\System32\services.exe
11701.  
11702. Network Information:
11703. Workstation Name: -
11704. Source Network Address: -
11705. Source Port: -
11706.  
11707. Detailed Authentication Information:
11708. Logon Process: Advapi
11709. Authentication Package: Negotiate
11710. Transited Services: -
11711. Package Name (NTLM only): -
11712. Key Length: 0
11713.  
11714. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11715.  
11716. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11717.  
11718. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11719.  
11720. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11721.  
11722. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11723.  
11724. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11725.  
11726. The authentication information fields provide detailed information about this specific logon request.
11727. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11728. - Transited services indicate which intermediate services have participated in this logon request.
11729. - Package name indicates which sub-protocol was used among the NTLM protocols.
11730. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11731. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11732.  
11733. Subject:
11734. Security ID: SYSTEM
11735. Account Name: DESKTOP-TM5QNT2$
11736. Account Domain: WORKGROUP
11737. Logon ID: 0x3E7
11738.  
11739. Logon Information:
11740. Logon Type: 2
11741. Restricted Admin Mode: -
11742. Virtual Account: Yes
11743. Elevated Token: No
11744.  
11745. Impersonation Level: Impersonation
11746.  
11747. New Logon:
11748. Security ID: Font Driver Host\UMFD-0
11749. Account Name: UMFD-0
11750. Account Domain: Font Driver Host
11751. Logon ID: 0xAD22
11752. Linked Logon ID: 0x0
11753. Network Account Name: -
11754. Network Account Domain: -
11755. Logon GUID: {00000000-0000-0000-0000-000000000000}
11756.  
11757. Process Information:
11758. Process ID: 0x2a4
11759. Process Name: C:\Windows\System32\wininit.exe
11760.  
11761. Network Information:
11762. Workstation Name: -
11763. Source Network Address: -
11764. Source Port: -
11765.  
11766. Detailed Authentication Information:
11767. Logon Process: Advapi
11768. Authentication Package: Negotiate
11769. Transited Services: -
11770. Package Name (NTLM only): -
11771. Key Length: 0
11772.  
11773. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11774.  
11775. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11776.  
11777. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11778.  
11779. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11780.  
11781. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11782.  
11783. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11784.  
11785. The authentication information fields provide detailed information about this specific logon request.
11786. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11787. - Transited services indicate which intermediate services have participated in this logon request.
11788. - Package name indicates which sub-protocol was used among the NTLM protocols.
11789. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11790. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
11791.  
11792. Subject:
11793. Security ID: SYSTEM
11794. Account Name: DESKTOP-TM5QNT2$
11795. Account Domain: WORKGROUP
11796. Logon ID: 0x3E7
11797. Logon GUID: {00000000-0000-0000-0000-000000000000}
11798.  
11799. Account Whose Credentials Were Used:
11800. Account Name: UMFD-0
11801. Account Domain: Font Driver Host
11802. Logon GUID: {00000000-0000-0000-0000-000000000000}
11803.  
11804. Target Server:
11805. Target Server Name: localhost
11806. Additional Information: localhost
11807.  
11808. Process Information:
11809. Process ID: 0x2a4
11810. Process Name: C:\Windows\System32\wininit.exe
11811.  
11812. Network Information:
11813. Network Address: -
11814. Port: -
11815.  
11816. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
11817. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
11818.  
11819. Subject:
11820. Security ID: SYSTEM
11821. Account Name: SYSTEM
11822. Account Domain: NT AUTHORITY
11823. Logon ID: 0x3E7
11824.  
11825. Privileges: SeAssignPrimaryTokenPrivilege
11826. SeTcbPrivilege
11827. SeSecurityPrivilege
11828. SeTakeOwnershipPrivilege
11829. SeLoadDriverPrivilege
11830. SeBackupPrivilege
11831. SeRestorePrivilege
11832. SeDebugPrivilege
11833. SeAuditPrivilege
11834. SeSystemEnvironmentPrivilege
11835. SeImpersonatePrivilege
11836. SeDelegateSessionUserImpersonatePrivilege"
11837. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11838.  
11839. Subject:
11840. Security ID: SYSTEM
11841. Account Name: DESKTOP-TM5QNT2$
11842. Account Domain: WORKGROUP
11843. Logon ID: 0x3E7
11844.  
11845. Logon Information:
11846. Logon Type: 5
11847. Restricted Admin Mode: -
11848. Virtual Account: No
11849. Elevated Token: Yes
11850.  
11851. Impersonation Level: Impersonation
11852.  
11853. New Logon:
11854. Security ID: SYSTEM
11855. Account Name: SYSTEM
11856. Account Domain: NT AUTHORITY
11857. Logon ID: 0x3E7
11858. Linked Logon ID: 0x0
11859. Network Account Name: -
11860. Network Account Domain: -
11861. Logon GUID: {00000000-0000-0000-0000-000000000000}
11862.  
11863. Process Information:
11864. Process ID: 0x2f0
11865. Process Name: C:\Windows\System32\services.exe
11866.  
11867. Network Information:
11868. Workstation Name: -
11869. Source Network Address: -
11870. Source Port: -
11871.  
11872. Detailed Authentication Information:
11873. Logon Process: Advapi
11874. Authentication Package: Negotiate
11875. Transited Services: -
11876. Package Name (NTLM only): -
11877. Key Length: 0
11878.  
11879. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11880.  
11881. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11882.  
11883. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11884.  
11885. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11886.  
11887. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11888.  
11889. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11890.  
11891. The authentication information fields provide detailed information about this specific logon request.
11892. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11893. - Transited services indicate which intermediate services have participated in this logon request.
11894. - Package name indicates which sub-protocol was used among the NTLM protocols.
11895. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11896. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
11897.  
11898. Number of Elements: 0
11899. Policy ID: 0xABAE"
11900. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
11901.  
11902. Subject:
11903. Security ID: NULL SID
11904. Account Name: -
11905. Account Domain: -
11906. Logon ID: 0x0
11907.  
11908. Logon Information:
11909. Logon Type: 0
11910. Restricted Admin Mode: -
11911. Virtual Account: No
11912. Elevated Token: Yes
11913.  
11914. Impersonation Level: -
11915.  
11916. New Logon:
11917. Security ID: SYSTEM
11918. Account Name: SYSTEM
11919. Account Domain: NT AUTHORITY
11920. Logon ID: 0x3E7
11921. Linked Logon ID: 0x0
11922. Network Account Name: -
11923. Network Account Domain: -
11924. Logon GUID: {00000000-0000-0000-0000-000000000000}
11925.  
11926. Process Information:
11927. Process ID: 0x4
11928. Process Name:
11929.  
11930. Network Information:
11931. Workstation Name: -
11932. Source Network Address: -
11933. Source Port: -
11934.  
11935. Detailed Authentication Information:
11936. Logon Process: -
11937. Authentication Package: -
11938. Transited Services: -
11939. Package Name (NTLM only): -
11940. Key Length: 0
11941.  
11942. This event is generated when a logon session is created. It is generated on the computer that was accessed.
11943.  
11944. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
11945.  
11946. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
11947.  
11948. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
11949.  
11950. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
11951.  
11952. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
11953.  
11954. The authentication information fields provide detailed information about this specific logon request.
11955. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
11956. - Transited services indicate which intermediate services have participated in this logon request.
11957. - Package name indicates which sub-protocol was used among the NTLM protocols.
11958. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
11959. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
11960.  
11961. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
11962. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
11963.  
11964. Creator Subject:
11965. Security ID: SYSTEM
11966. Account Name: -
11967. Account Domain: -
11968. Logon ID: 0x3E7
11969.  
11970. Target Subject:
11971. Security ID: NULL SID
11972. Account Name: -
11973. Account Domain: -
11974. Logon ID: 0x0
11975.  
11976. Process Information:
11977. New Process ID: 0x2f8
11978. New Process Name: C:\Windows\System32\lsass.exe
11979. Token Elevation Type: %%1936
11980. Mandatory Label: Mandatory Label\System Mandatory Level
11981. Creator Process ID: 0x2a4
11982. Creator Process Name: C:\Windows\System32\wininit.exe
11983. Process Command Line:
11984.  
11985. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
11986.  
11987. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
11988.  
11989. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
11990.  
11991. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
11992. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
11993.  
11994. Creator Subject:
11995. Security ID: SYSTEM
11996. Account Name: -
11997. Account Domain: -
11998. Logon ID: 0x3E7
11999.  
12000. Target Subject:
12001. Security ID: NULL SID
12002. Account Name: -
12003. Account Domain: -
12004. Logon ID: 0x0
12005.  
12006. Process Information:
12007. New Process ID: 0x2f0
12008. New Process Name: C:\Windows\System32\services.exe
12009. Token Elevation Type: %%1936
12010. Mandatory Label: Mandatory Label\System Mandatory Level
12011. Creator Process ID: 0x2a4
12012. Creator Process Name: C:\Windows\System32\wininit.exe
12013. Process Command Line:
12014.  
12015. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12016.  
12017. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12018.  
12019. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12020.  
12021. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12022. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12023.  
12024. Creator Subject:
12025. Security ID: SYSTEM
12026. Account Name: -
12027. Account Domain: -
12028. Logon ID: 0x3E7
12029.  
12030. Target Subject:
12031. Security ID: NULL SID
12032. Account Name: -
12033. Account Domain: -
12034. Logon ID: 0x0
12035.  
12036. Process Information:
12037. New Process ID: 0x2ac
12038. New Process Name: C:\Windows\System32\csrss.exe
12039. Token Elevation Type: %%1936
12040. Mandatory Label: Mandatory Label\System Mandatory Level
12041. Creator Process ID: 0x29c
12042. Creator Process Name: C:\Windows\System32\smss.exe
12043. Process Command Line:
12044.  
12045. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12046.  
12047. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12048.  
12049. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12050.  
12051. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12052. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12053.  
12054. Creator Subject:
12055. Security ID: SYSTEM
12056. Account Name: -
12057. Account Domain: -
12058. Logon ID: 0x3E7
12059.  
12060. Target Subject:
12061. Security ID: NULL SID
12062. Account Name: -
12063. Account Domain: -
12064. Logon ID: 0x0
12065.  
12066. Process Information:
12067. New Process ID: 0x2a4
12068. New Process Name: C:\Windows\System32\wininit.exe
12069. Token Elevation Type: %%1936
12070. Mandatory Label: Mandatory Label\System Mandatory Level
12071. Creator Process ID: 0x23c
12072. Creator Process Name: C:\Windows\System32\smss.exe
12073. Process Command Line:
12074.  
12075. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12076.  
12077. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12078.  
12079. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12080.  
12081. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12082. Audit Success 5/2/2017 4:38:53 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12083.  
12084. Creator Subject:
12085. Security ID: SYSTEM
12086. Account Name: -
12087. Account Domain: -
12088. Logon ID: 0x3E7
12089.  
12090. Target Subject:
12091. Security ID: NULL SID
12092. Account Name: -
12093. Account Domain: -
12094. Logon ID: 0x0
12095.  
12096. Process Information:
12097. New Process ID: 0x29c
12098. New Process Name: C:\Windows\System32\smss.exe
12099. Token Elevation Type: %%1936
12100. Mandatory Label: Mandatory Label\System Mandatory Level
12101. Creator Process ID: 0x1c8
12102. Creator Process Name: C:\Windows\System32\smss.exe
12103. Process Command Line:
12104.  
12105. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12106.  
12107. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12108.  
12109. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12110.  
12111. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12112. Audit Success 5/2/2017 4:38:52 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12113.  
12114. Creator Subject:
12115. Security ID: SYSTEM
12116. Account Name: -
12117. Account Domain: -
12118. Logon ID: 0x3E7
12119.  
12120. Target Subject:
12121. Security ID: NULL SID
12122. Account Name: -
12123. Account Domain: -
12124. Logon ID: 0x0
12125.  
12126. Process Information:
12127. New Process ID: 0x248
12128. New Process Name: C:\Windows\System32\csrss.exe
12129. Token Elevation Type: %%1936
12130. Mandatory Label: Mandatory Label\System Mandatory Level
12131. Creator Process ID: 0x23c
12132. Creator Process Name: C:\Windows\System32\smss.exe
12133. Process Command Line:
12134.  
12135. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12136.  
12137. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12138.  
12139. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12140.  
12141. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12142. Audit Success 5/2/2017 4:38:52 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12143.  
12144. Creator Subject:
12145. Security ID: SYSTEM
12146. Account Name: -
12147. Account Domain: -
12148. Logon ID: 0x3E7
12149.  
12150. Target Subject:
12151. Security ID: NULL SID
12152. Account Name: -
12153. Account Domain: -
12154. Logon ID: 0x0
12155.  
12156. Process Information:
12157. New Process ID: 0x23c
12158. New Process Name: C:\Windows\System32\smss.exe
12159. Token Elevation Type: %%1936
12160. Mandatory Label: Mandatory Label\System Mandatory Level
12161. Creator Process ID: 0x1c8
12162. Creator Process Name: C:\Windows\System32\smss.exe
12163. Process Command Line:
12164.  
12165. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12166.  
12167. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12168.  
12169. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12170.  
12171. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12172. Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12173.  
12174. Creator Subject:
12175. Security ID: SYSTEM
12176. Account Name: -
12177. Account Domain: -
12178. Logon ID: 0x3E7
12179.  
12180. Target Subject:
12181. Security ID: NULL SID
12182. Account Name: -
12183. Account Domain: -
12184. Logon ID: 0x0
12185.  
12186. Process Information:
12187. New Process ID: 0x1d4
12188. New Process Name: C:\Windows\System32\autochk.exe
12189. Token Elevation Type: %%1936
12190. Mandatory Label: Mandatory Label\System Mandatory Level
12191. Creator Process ID: 0x1c8
12192. Creator Process Name: C:\Windows\System32\smss.exe
12193. Process Command Line:
12194.  
12195. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12196.  
12197. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12198.  
12199. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12200.  
12201. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12202. Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4688 Process Creation "A new process has been created.
12203.  
12204. Creator Subject:
12205. Security ID: SYSTEM
12206. Account Name: -
12207. Account Domain: -
12208. Logon ID: 0x3E7
12209.  
12210. Target Subject:
12211. Security ID: NULL SID
12212. Account Name: -
12213. Account Domain: -
12214. Logon ID: 0x0
12215.  
12216. Process Information:
12217. New Process ID: 0x1c8
12218. New Process Name: C:\Windows\System32\smss.exe
12219. Token Elevation Type: %%1936
12220. Mandatory Label: Mandatory Label\System Mandatory Level
12221. Creator Process ID: 0x4
12222. Creator Process Name:
12223. Process Command Line:
12224.  
12225. Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
12226.  
12227. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
12228.  
12229. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
12230.  
12231. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
12232. Audit Success 5/2/2017 4:38:51 PM Microsoft-Windows-Security-Auditing 4826 Other Policy Change Events "Boot Configuration Data loaded.
12233.  
12234. Subject:
12235. Security ID: SYSTEM
12236. Account Name: -
12237. Account Domain: -
12238. Logon ID: 0x3E7
12239.  
12240. General Settings:
12241. Load Options: -
12242. Advanced Options: No
12243. Configuration Access Policy: Default
12244. System Event Logging: No
12245. Kernel Debugging: No
12246. VSM Launch Type: Off
12247.  
12248. Signature Settings:
12249. Test Signing: No
12250. Flight Signing: No
12251. Disable Integrity Checks: No
12252.  
12253. HyperVisor Settings:
12254. HyperVisor Load Options: -
12255. HyperVisor Launch Type: Off
12256. HyperVisor Debugging: No"
12257. Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Security-Auditing 4647 Logoff "User initiated logoff:
12258.  
12259. Subject:
12260. Security ID: DESKTOP-TM5QNT2\Jai
12261. Account Name: Jai
12262. Account Domain: DESKTOP-TM5QNT2
12263. Logon ID: 0x3BDBA
12264.  
12265. This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
12266. Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off.
12267.  
12268. Subject:
12269. Security ID: Font Driver Host\UMFD-1
12270. Account Name: UMFD-1
12271. Account Domain: Font Driver Host
12272. Logon ID: 0xFEE6
12273.  
12274. Logon Type: 2
12275.  
12276. This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
12277. Audit Success 5/2/2017 4:38:23 PM Microsoft-Windows-Eventlog 1100 Service shutdown The event logging service has shut down.
12278. Audit Success 5/2/2017 4:38:16 PM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
12279.  
12280. Subject:
12281. Security ID: SYSTEM
12282. Account Name: SYSTEM
12283. Account Domain: NT AUTHORITY
12284. Logon ID: 0x3E7
12285.  
12286. Privileges: SeAssignPrimaryTokenPrivilege
12287. SeTcbPrivilege
12288. SeSecurityPrivilege
12289. SeTakeOwnershipPrivilege
12290. SeLoadDriverPrivilege
12291. SeBackupPrivilege
12292. SeRestorePrivilege
12293. SeDebugPrivilege
12294. SeAuditPrivilege
12295. SeSystemEnvironmentPrivilege
12296. SeImpersonatePrivilege
12297. SeDelegateSessionUserImpersonatePrivilege"
12298. Audit Success 5/2/2017 4:38:16 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
12299.  
12300. Subject:
12301. Security ID: SYSTEM
12302. Account Name: DESKTOP-TM5QNT2$
12303. Account Domain: WORKGROUP
12304. Logon ID: 0x3E7
12305.  
12306. Logon Information:
12307. Logon Type: 5
12308. Restricted Admin Mode: -
12309. Virtual Account: No
12310. Elevated Token: Yes
12311.  
12312. Impersonation Level: Impersonation
12313.  
12314. New Logon:
12315. Security ID: SYSTEM
12316. Account Name: SYSTEM
12317. Account Domain: NT AUTHORITY
12318. Logon ID: 0x3E7
12319. Linked Logon ID: 0x0
12320. Network Account Name: -
12321. Network Account Domain: -
12322. Logon GUID: {00000000-0000-0000-0000-000000000000}
12323.  
12324. Process Information:
12325. Process ID: 0x2ec
12326. Process Name: C:\Windows\System32\services.exe
12327.  
12328. Network Information:
12329. Workstation Name: -
12330. Source Network Address: -
12331. Source Port: -
12332.  
12333. Detailed Authentication Information:
12334. Logon Process: Advapi
12335. Authentication Package: Negotiate
12336. Transited Services: -
12337. Package Name (NTLM only): -
12338. Key Length: 0
12339.  
12340. This event is generated when a logon session is created. It is generated on the computer that was accessed.
12341.  
12342. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
12343.  
12344. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
12345.  
12346. The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
12347.  
12348. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
12349.  
12350. The impersonation level field indicates the extent to which a process in the logon session can impersonate.
12351.  
12352. The authentication information fields provide detailed information about this specific logon request.
12353. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
12354. - Transited services indicate which intermediate services have participated in this logon request.
12355. - Package name indicates which sub-protocol was used among the NTLM protocols.
12356. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
12357. Audit Success 5/2/2017 4:37:56 PM Microsoft-Windows-Eventlog 1102 Log clear "The audit log was cleared.
12358. Subject:
12359. Security ID: DESKTOP-TM5QNT2\Jai
12360. Account Name: Jai
12361. Domain Name: DESKTOP-TM5QNT2
12362. Logon ID: 0x3BD83"