Windows 8 and 8.1 Forums


Odd security entries on my main PC

  1. #1


    Sloe Deth, Californicatia
    Posts : 3,908
    Windows 8 Pro with Media Center/Windows 7

    Odd security entries on my main PC


    They look like this:

    Code:
    Log Name:      SecuritySource:        Microsoft-Windows-Security-Auditing
    Date:          6/25/2013 9:28:37 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      ASUS-PC
    Description:
    An account was successfully logged on.
    
    
    Subject:
        Security ID:        SYSTEM
        Account Name:        ASUS-PC$
        Account Domain:        WORKGROUP
        Logon ID:        0x3E7
    
    
    Logon Type:            5
    
    
    Impersonation Level:        Impersonation
    
    
    New Logon:
        Security ID:        SYSTEM
        Account Name:        SYSTEM
        Account Domain:        NT AUTHORITY
        Logon ID:        0x3E7
        Logon GUID:        {00000000-0000-0000-0000-000000000000}
    
    
    Process Information:
        Process ID:        0x2a0
        Process Name:        C:\Windows\System32\services.exe
    
    
    Network Information:
        Workstation Name:    
        Source Network Address:    -
        Source Port:        -
    
    
    Detailed Authentication Information:
        Logon Process:        Advapi  
        Authentication Package:    Negotiate
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0
    
    
    This event is generated when a logon session is created. It is generated on the computer that was accessed.
    
    
    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
    
    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
    
    
    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
    
    
    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
    
    The impersonation level field indicates the extent to which a process in the logon session can impersonate.
    
    
    The authentication information fields provide detailed information about this specific logon request.
        - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4624</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2013-06-26T04:28:37.928916400Z" />
        <EventRecordID>2936062</EventRecordID>
        <Correlation />
        <Execution ProcessID="688" ThreadID="712" />
        <Channel>Security</Channel>
        <Computer>ASUS-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">ASUS-PC$</Data>
        <Data Name="SubjectDomainName">WORKGROUP</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
        <Data Name="TargetUserSid">S-1-5-18</Data>
        <Data Name="TargetUserName">SYSTEM</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0x3e7</Data>
        <Data Name="LogonType">5</Data>
        <Data Name="LogonProcessName">Advapi  </Data>
        <Data Name="AuthenticationPackageName">Negotiate</Data>
        <Data Name="WorkstationName">
        </Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x2a0</Data>
        <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
        <Data Name="IpAddress">-</Data>
        <Data Name="IpPort">-</Data>
        <Data Name="ImpersonationLevel">%%1833</Data>
      </EventData>
    </Event>
    Is says the process was "advapi", which some sites say "advapi" without the 32 appended to it is some kind of virus.

    I came home tonight and my PC was shut down. I found this in my security log, right before it had been shut off:

    Code:
    Log Name:      SecuritySource:        Microsoft-Windows-Security-Auditing
    Date:          6/25/2013 7:49:22 PM
    Event ID:      4634
    Task Category: Logoff
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      ASUS-PC
    Description:
    An account was logged off.
    
    
    Subject:
        Security ID:        ANONYMOUS LOGON
        Account Name:        ANONYMOUS LOGON
        Account Domain:        NT AUTHORITY
        Logon ID:        0x288977F
    
    
    Logon Type:            3
    
    
    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4634</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12545</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2013-06-26T02:49:22.661049800Z" />
        <EventRecordID>2935956</EventRecordID>
        <Correlation />
        <Execution ProcessID="652" ThreadID="1372" />
        <Channel>Security</Channel>
        <Computer>ASUS-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserSid">S-1-5-7</Data>
        <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0x288977f</Data>
        <Data Name="LogonType">3</Data>
      </EventData>
    </Event>
    It looks like someone had gotten into my PC and shut it down remotely. Any ideas what this is? This may be related to my PC locking up randomly, usually after a BITS session when Windows is looking for updates for Metro Apps.

      My System SpecsSystem Spec

  2. #2


    Sounds scary !

      My System SpecsSystem Spec

  3. #3


    Sloe Deth, Californicatia
    Posts : 3,908
    Windows 8 Pro with Media Center/Windows 7


    Sure but how do I check it out? I think it is someone abusing my Teamviewer somehow- Because I left TV runnin in Invisible Mode, I just got up to check on something, and when I pulled up the monitor for my main PC, TV was UP, like it comes up after a session had ended. The Log does not tell me who it was, just that a session had started. It may have been maintenance, it says some printer drivers were deleted then reinstalled.

    [Edit] - I just ran Malwarebytes Anti Rootkit and it found something even before it scanned, said some DLL file was loaded, indications were system lockups and intrusions similar to what I'm seeing here. Running the full scan now...
      My System SpecsSystem Spec

Odd security entries on my main PC
Related Threads
Hi I use the Calendar that comes with Windows Live Mail. I have entries going back to the start of WLM (many years) and would like to delete them all at once so long as they are not valid any more, that is if they have no current recurring reminders? I know how to delete the entries...
Solved C:\?Program Files Entries in Registry? in Performance & Maintenance
Whilst trying to fix a program which was not loading correctly at start-up, I noticed I have many registry entries referreing to C:\?Program Files instead of C:\Program Files. Why is this and should I change the references to to C:\Program Files? Would a registry cleaner such as CCleaner sort...
Hi Where can I find an updated guide on the registry keys and entries of the latest version of Windows Defender for all versions and editions Windows 8.x? Thanks Bye
I have installed a couple of Linux distros a copy of XP etc that have been removed from the system. The entries are still left showing up in the bootmenu. How do I delete these unwanted entries? Note, currently I have Zorin 8 installed dual booting with Windows so it's grub's boot loader that...
Hi there, Which registry settings should I change to set the top two default Windows rules back to 'Unrestricted' please? 39261 I set up some rules in the local security policy some time ago when there was fuss in the news about the cryptolocker virus. They looked a lot like the rules...
Lost Windows 8 Calender Entries in Software and Apps
Hi I have been using the Windows Calendar app on the Metro screen (Windows 8.1) I have been using my calendar to write down which days I have been working, to keep a record of it. I went to fill in some previous entries and it asked me to sign in to the calendar. I signed in, then it...
6 entries in Graphic Cards
Hello Of my 20 programs , 6 have to do with NVidia. Please take a look at my attachment and see if there is any baggage I can shed regarding NVidia. I don't use the NVidia control panel, have p n p monitor so only need what is necessary. Thank you Peter
Eight Forums Android App Eight Forums IOS App Follow us on Facebook