Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unauthorized Access??? Help interpreting Event Viewer

01 Nov 2011   #1
gtalarico

Win 7 x64
 
 
Unauthorized Access??? Help interpreting Event Viewer

Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).


My System SpecsSystem Spec
01 Nov 2011   #2
zigzag3143

Win 8 Release candidate 8400
 
 

Quote   Quote: Originally Posted by gtalarico View Post
Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
You cant tell from just this log but I would not worry about it unless someone with physical access has your 14 digit password. It would take them years to break it.
My System SpecsSystem Spec
01 Nov 2011   #3
Kari

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Quote   Quote: Originally Posted by gtalarico View Post
...
...



(All of these happened while I was away)
  1. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
  2. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
  3. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
  4. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
  5. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  6. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  7. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  8. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  9. Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
  10. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
  11. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
  12. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  13. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  14. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  15. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
  16. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
  17. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
  18. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
  19. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon
Reading from bottom (19) to top (1), this is what seems to have happened:
  • 19. to 15.: Windows Task Scheduler logs in using administrative rights.
  • 14. to 9.: Windows has synced the time, I'm not sure why it took four attempts.
  • 8. to 1.: Windows has added an event source to log (ID 4904) and removed it (ID 4905). Happens for instance when Task Scheduler kicks in to do a task which is then not needed / not done.
I would not worry, looks normal Windows background maintenance.

Kari
My System SpecsSystem Spec
01 Nov 2011   #4
gtalarico

Win 7 x64
 
 

Thanks for your help.

So can Task Scheduler wake the computer up from sleep?
If not, then I will just have to move on with my life, never knowing what woke my computer up...
(sneaky roommate, ghost, evil spirits, mouse ?)

At least I feel better knowing the system wasn't accessed.
My System SpecsSystem Spec
01 Nov 2011   #5
gtalarico

Win 7 x64
 
 



Problem solved!!!

Kari, you are my hero for mentioning the Task Scheduler.

I decided to investigate that and I found an entry that my back up program created (see image)

Conclusion: The Task Scheduler CAN and WILL wake the computer up!

(I am very curious to how it actually manages to do that!!!)
(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... )

Thanks again all of you for your help!

My System SpecsSystem Spec
02 Nov 2011   #6
Kari

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Quote   Quote: Originally Posted by gtalarico View Post


(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... )
Yes, the event ID 4616 means time sync.

Kari
My System SpecsSystem Spec
Reply

 Unauthorized Access??? Help interpreting Event Viewer




Thread Tools





Similar help and support threads
Thread Forum
Event Viewer Event Id 2002, Source: EapHost, Log Application
Well, I tryed to manage page-file but unfortunataly it resulted in problems. Then I lost VAIO-CARE and 7 ZIP files too. When I open Event Viewer every single day I see this: event Id 2002, Souce: Eap Host, Log name: Application and number of Eventes: 84. As I am desparate about that, What sould...
General Discussion
BSOD when watching videos on youtube, Event 41 in Event Viewer
It's been a while since I've experienced a BSOD as I'm viewing a video on youtube. It would freeze as if the audio was caught in mid-stream then BSOD, then would restart automatically. I go to Event Viewer after windows as loaded and I see Event 41 Kernel-Power in there. I had this issue...
BSOD Help and Support
After BSOD Event Viewer Logs Event ID 3012 and 3011 every time I boot
I was running 3DMark06 and got a BSOD code 124. After that every time I boot Event Viewer logs Error Codes ID 3012 and 3011. Attached are screenshots of both. I googled this and found two different threads where someone suggested to rebuild the performance counters. Both responses were...
BSOD Help and Support
Ways to protect myself from unauthorized remote access
Hiya Whilst troubleshooting another issue, I noticed that overnight there are dozens of attempts to log onto my machine remotely (all failing) I checked my router logs and saw a couple of different IP addresses trying to access my PC remotely. Tracing these IPs probably revealed nothing, but...
System Security
WHEA-Logger event 18/19 errors in Event Viewer (W7 Home Premium)
Hi, I was hoping somebody could offer an insight on the below, as searching around I've not found much to go on other than "overheating" Basically my laptop has been having very high temperatures for a long time (usually ~60C for CPU and often 100-110 for GPU...insanely high, in other words)...
Hardware & Devices
Event Viewer Error Message Event ID11 - How do I get rid of this to?
Every time I boot my laptop I get error message Event ID 11 in Event Viewer. The details are: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. This is listed...
BSOD Help and Support

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:48.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App