Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unauthorized Access??? Help interpreting Event Viewer


01 Nov 2011   #1

Win 7 x64
 
 
Unauthorized Access??? Help interpreting Event Viewer

Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).

My System SpecsSystem Spec
.

01 Nov 2011   #2

Win 8 Release candidate 8400
 
 

Quote   Quote: Originally Posted by gtalarico View Post
Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
You cant tell from just this log but I would not worry about it unless someone with physical access has your 14 digit password. It would take them years to break it.
My System SpecsSystem Spec
01 Nov 2011   #3

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Quote   Quote: Originally Posted by gtalarico View Post
...
...



(All of these happened while I was away)
  1. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
  2. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
  3. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
  4. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
  5. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  6. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  7. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  8. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  9. Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
  10. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
  11. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
  12. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  13. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  14. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  15. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
  16. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
  17. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
  18. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
  19. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon
Reading from bottom (19) to top (1), this is what seems to have happened:
  • 19. to 15.: Windows Task Scheduler logs in using administrative rights.
  • 14. to 9.: Windows has synced the time, I'm not sure why it took four attempts.
  • 8. to 1.: Windows has added an event source to log (ID 4904) and removed it (ID 4905). Happens for instance when Task Scheduler kicks in to do a task which is then not needed / not done.
I would not worry, looks normal Windows background maintenance.

Kari
My System SpecsSystem Spec
.


01 Nov 2011   #4

Win 7 x64
 
 

Thanks for your help.

So can Task Scheduler wake the computer up from sleep?
If not, then I will just have to move on with my life, never knowing what woke my computer up...
(sneaky roommate, ghost, evil spirits, mouse ?)

At least I feel better knowing the system wasn't accessed.
My System SpecsSystem Spec
01 Nov 2011   #5

Win 7 x64
 
 



Problem solved!!!

Kari, you are my hero for mentioning the Task Scheduler.

I decided to investigate that and I found an entry that my back up program created (see image)

Conclusion: The Task Scheduler CAN and WILL wake the computer up!

(I am very curious to how it actually manages to do that!!!)
(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... )

Thanks again all of you for your help!

My System SpecsSystem Spec
02 Nov 2011   #6

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro with Media Center
 
 

Quote   Quote: Originally Posted by gtalarico View Post


(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... )
Yes, the event ID 4616 means time sync.

Kari
My System SpecsSystem Spec
Reply

 Unauthorized Access??? Help interpreting Event Viewer




Thread Tools



Similar help and support threads for2: Unauthorized Access??? Help interpreting Event Viewer
Thread Forum
In Event Viewer, Where is event log for cleanmgr.exe (Disk Cleanup)? Performance & Maintenance
Solved Event ID 7001 and 7023 Shows in Event Viewer a lot. BSOD Help and Support
Ways to protect myself from unauthorized remote access System Security
WHEA-Logger event 18/19 errors in Event Viewer (W7 Home Premium) Hardware & Devices
Event Viewer Error Message Event ID11 - How do I get rid of this to? BSOD Help and Support
Event Viewer Chrashes browsing Event Logs BSOD Help and Support
Event 18 WHEA-Logger Error in Event Viewer Hardware & Devices

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:10 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33