Unauthorized Access??? Help interpreting Event Viewer


  1. Posts : 18
    Win 7 x64
       #1

    Unauthorized Access??? Help interpreting Event Viewer


    Hi.

    I just got home and found my computer turned on.
    It had been in sleep mode for a few days..

    The screen saver was on, and once I moved the mouse I had to enter the password to login.

    What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
    I am guessing it could be one of 3 things:

    1-Someone or something moved the mouse or pressed a key.
    2-Someone at my house tried to/accessed it.
    3-Someone woke it by lan and accessed it remotely.
    (I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

    I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
    The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

    Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
    (I also have the detailed logs I could post... is it safe to share those?)


    (these were mine: I got home at 12:45)
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


    (All of these happened while I was away)
    Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
    Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
    Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


    PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
      My Computer


  2. Posts : 28,845
    Win 8 Release candidate 8400
       #2

    gtalarico said:
    Hi.

    I just got home and found my computer turned on.
    It had been in sleep mode for a few days..

    The screen saver was on, and once I moved the mouse I had to enter the password to login.

    What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
    I am guessing it could be one of 3 things:

    1-Someone or something moved the mouse or pressed a key.
    2-Someone at my house tried to/accessed it.
    3-Someone woke it by lan and accessed it remotely.
    (I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

    I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
    The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

    Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
    (I also have the detailed logs I could post... is it safe to share those?)


    (these were mine: I got home at 12:45)
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


    (All of these happened while I was away)
    Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
    Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
    Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


    PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
    You cant tell from just this log but I would not worry about it unless someone with physical access has your 14 digit password. It would take them years to break it.
      My Computer


  3. Posts : 17,545
    Windows 10 Pro x64 EN-GB
       #3

    gtalarico said:
    ...
    ...



    (All of these happened while I was away)
    1. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
    2. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
    3. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
    4. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
    5. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    6. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    7. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
    8. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
    9. Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
    10. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
    11. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
    12. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    13. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    14. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
    15. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
    16. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
    17. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
    18. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
    19. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon
    Reading from bottom (19) to top (1), this is what seems to have happened:

    • 19. to 15.: Windows Task Scheduler logs in using administrative rights.
    • 14. to 9.: Windows has synced the time, I'm not sure why it took four attempts.
    • 8. to 1.: Windows has added an event source to log (ID 4904) and removed it (ID 4905). Happens for instance when Task Scheduler kicks in to do a task which is then not needed / not done.
    I would not worry, looks normal Windows background maintenance.

    Kari
      My Computer


  4. Posts : 18
    Win 7 x64
    Thread Starter
       #4

    Thanks for your help.

    So can Task Scheduler wake the computer up from sleep?
    If not, then I will just have to move on with my life, never knowing what woke my computer up...
    (sneaky roommate, ghost, evil spirits, mouse ?)

    At least I feel better knowing the system wasn't accessed.
      My Computer


  5. Posts : 18
    Win 7 x64
    Thread Starter
       #5



    Problem solved!!!

    Kari, you are my hero for mentioning the Task Scheduler.

    I decided to investigate that and I found an entry that my back up program created (see image)

    Conclusion: The Task Scheduler CAN and WILL wake the computer up!

    (I am very curious to how it actually manages to do that!!!)
    (Also noticed it started 6 seconds BEFORE the actual time... the description of one of
    "policy change" events mentioned something about adjusting clock... )

    Thanks again all of you for your help!

      My Computer


  6. Posts : 17,545
    Windows 10 Pro x64 EN-GB
       #6

    gtalarico said:


    (Also noticed it started 6 seconds BEFORE the actual time... the description of one of
    "policy change" events mentioned something about adjusting clock... )
    Yes, the event ID 4616 means time sync.

    Kari
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 11:19.
Find Us