Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Several log entries of event 4624 in security auditing

21 Oct 2012   #1
BoneMaN41

Windows 7 Home Premium 64 bit
 
 
Several log entries of event 4624 in security auditing

I have several of these logs reported followed shortly by an event 4634. What the heck is this. Is someone logging onto my computer when I get on it?

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/21/2012 9:23:56 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: JohnsRig-PC
Description:
An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xbf508f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: TRACI
Source Network Address: 192.xxx.xxx.3
Source Port: 49182

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-10-22T02:23:56.295740600Z" />
<EventRecordID>36226</EventRecordID>
<Correlation />
<Execution ProcessID="620" ThreadID="4976" />
<Channel>Security</Channel>
<Computer>JohnsRig-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-7</Data>
<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0xbf508f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">TRACI</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V1</Data>
<Data Name="KeyLength">128</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.xxx.xxx.3</Data>
<Data Name="IpPort">49182</Data>
</EventData>
</Event>


My System SpecsSystem Spec
.
14 Oct 2013   #2
kombsh

win 7 32 bit
 
 

See this article Event 4624 null sid - Repeated security log to know about the event 4624 null sid
My System SpecsSystem Spec
Reply

 Several log entries of event 4624 in security auditing




Thread Tools





Similar help and support threads
Thread Forum
The Microsoft Security Essentials keys and entries
Hi  Where can I find an updated guide on the registry keys and entries of the latest version of Microsoft Security Essentials for all versions and editions of Windows 7 SP1?  Thanks 
System Security
Reproducible Win7 64-bit lock up - no event log entries
Hello, I have a home built machine that has been running without issue for a few months. On Friday, out of nowhere my screen completely froze (no change in clock, etc.) without any response to keyboard strokes, mouse clicks, CTRL+ALT+DEL, and so on. Some applications were running but I wasn't...
BSOD Help and Support
Sony Vaio VPCZ227GG Freezes with no errors, event log entries or dumps
Hi there, I bought a Sony Vaio VPCZ227GG almost 2 months back and its been running perfectly until the last week. There have been no hardware updates, system installs etc. only the recommended Sony Vaio Care driver udpates. I will be using the laptop for a while and then it will just crash....
BSOD Help and Support
Event Viewer: New Entries Under App. & Service Logs -> Microsoft
hi all, i always check my boot time from event manager following this pattern: Event viewer -> Applications and Services log -> Microsoft -> Windows -> Diagnostic Performance -> Operational off late, i have noticed under Microsoft i get another entry along with Windows. it is IEResp....
BSOD Help and Support
Random Computer Freezes With NO Event Log Entries
So my computer randomly freezes up and when I boot up there are no log entries of the event. There are however always 3 log entries but I don't believe they are related to the actual problem. The 3 that are always there are: 6008, 7026 and 41. Now when I say it freezes I mean it literally...
BSOD Help and Support
MSE, restarts before login, missing event log entries
Hi, I'm quite consternated and I'd love to hear your opinions on this. The story: I'm experiencing strange restarts but not random, I can routinely replicate it. After a boot IF I leave the logon screen alone (i.e. without logging in), the system restarts itself almost like automatically...
BSOD Help and Support

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App