 | |
| |
| 01 Nov 2011 | #1 |
| | Unauthorized Access??? Help interpreting Event Viewer Hi. I just got home and found my computer turned on. It had been in sleep mode for a few days.. The screen saver was on, and once I moved the mouse I had to enter the password to login. What is driving me crazy is, something woke it up... And I don't know if someone accessed my files... I am guessing it could be one of 3 things: 1-Someone or something moved the mouse or pressed a key. 2-Someone at my house tried to/accessed it. 3-Someone woke it by lan and accessed it remotely. (I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear). I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something. The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted. Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm? (I also have the detailed logs I could post... is it safe to share those?) (these were mine: I got home at 12:45) Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon (All of these happened while I was away) Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits). |
My System Specs | |
| 01 Nov 2011 | #2 |
| | 
Quote: Originally Posted by gtalarico  Hi. I just got home and found my computer turned on. It had been in sleep mode for a few days.. The screen saver was on, and once I moved the mouse I had to enter the password to login. What is driving me crazy is, something woke it up... And I don't know if someone accessed my files... I am guessing it could be one of 3 things: 1-Someone or something moved the mouse or pressed a key. 2-Someone at my house tried to/accessed it. 3-Someone woke it by lan and accessed it remotely. (I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear). I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something. The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted. Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm? (I also have the detailed logs I could post... is it safe to share those?) (these were mine: I got home at 12:45) Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon (All of these happened while I was away) Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits). |
| My System Specs |
| 01 Nov 2011 | #3 |
| |
Quote: Originally Posted by gtalarico ... ... (All of these happened while I was away)
Kari |
| My System Specs |
| . |
| |
| 01 Nov 2011 | #4 |
| | Thanks for your help. So can Task Scheduler wake the computer up from sleep? If not, then I will just have to move on with my life, never knowing what woke my computer up... (sneaky roommate, ghost, evil spirits, mouse ?) At least I feel better knowing the system wasn't accessed. |
| My System Specs |
| 01 Nov 2011 | #5 |
| |  Problem solved!!! Kari, you are my hero for mentioning the Task Scheduler. I decided to investigate that and I found an entry that my back up program created (see image) Conclusion: The Task Scheduler CAN and WILL wake the computer up! (I am very curious to how it actually manages to do that!!!  )(Also noticed it started 6 seconds BEFORE the actual time... the description of one of "policy change" events mentioned something about adjusting clock...  )Thanks again all of you for your help!  |
| My System Specs |
| 02 Nov 2011 | #6 |
| |
Quote: Originally Posted by gtalarico (Also noticed it started 6 seconds BEFORE the actual time... the description of one of "policy change" events mentioned something about adjusting clock... )Kari |
| My System Specs |
 |
Unauthorized Access??? Help interpreting Event Viewer problems?
« File security permissions messed up by chkdsk
|
wudfsvc WINDOWS DRIVER FOUNDATION uses too much memory »
| Thread Tools | |
| Similar help and support threads for: Unauthorized Access??? Help interpreting Event Viewer | ||||
| Thread | Forum | |||
 Event ID 7001 and 7023 Shows in Event Viewer a lot. | BSOD Help and Support | |||
| Ways to protect myself from unauthorized remote access | System Security | |||
| WHEA-Logger event 18/19 errors in Event Viewer (W7 Home Premium) | Hardware & Devices | |||
| Event Viewer Error Message Event ID10 - How to get rid of it? | BSOD Help and Support | |||
| Event Viewer Chrashes browsing Event Logs | BSOD Help and Support | |||
All times are GMT -5. The time now is 01:32 AM.
