Unauthorized Access??? Help interpreting Event Viewer

Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).

gtalarico said:

Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).

You cant tell from just this log but I would not worry about it unless someone with physical access has your 14 digit password. It would take them years to break it.

Thanks for your help.

So can Task Scheduler wake the computer up from sleep?
If not, then I will just have to move on with my life, never knowing what woke my computer up...
(sneaky roommate, ghost, evil spirits, mouse ?)

At least I feel better knowing the system wasn't accessed.

Problem solved!!!

Kari, you are my hero for mentioning the Task Scheduler.

I decided to investigate that and I found an entry that my back up program created (see image)

Conclusion: The Task Scheduler CAN and WILL wake the computer up!

(I am very curious to how it actually manages to do that!!!)
(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... )

Thanks again all of you for your help!