New
#1
Unauthorized Access??? Help interpreting Event Viewer
Hi.
I just got home and found my computer turned on.
It had been in sleep mode for a few days..
The screen saver was on, and once I moved the mouse I had to enter the password to login.
What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:
1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).
I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.
Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)
(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon
(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon
PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).