Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Event Viewer: Who logged in? Why am I seeing myself as "remote"?

05 Apr 2019   #1
MSKHAN

Microsoft Windows 7 Enterprise 64-bit Service Pack 1
 
 
Event Viewer: Who logged in? Why am I seeing myself as "remote"?

I want the input from people who understand what the Event Viewer logs (Win 7 Enterprise) actually mean. Auditing is already enabled on my machine so it does have some logs.

Under Windows Logs/Security, I get many "Audit Success" logs with various Event IDs and Task category. I am not sure what to ignore and what to count. The accounts I use are a local admin account and a domain user account. But I see countless logins from, for example: the computer's name itself, SYSTEM (domain NT Authority) and something called SophosSAUSETUPPCO.

Are remote logons logged here? I also checked under Windows Logs/Microsoft/Windows for possible login information logs in the following directories:

Quote:
RemoteApp and Desktop Connections: There's nothing stored here

RemoteAssistance: There's random logs here but only from a user called SYSTEM

RemoteDesktopServices-RdpCoreTS: There's nothing stored here

RemoteDesktopServices-RemoteDesktopSessionManager: There's nothing stored here
Then I looked here:

Quote:
TerminalServices-LocalSessionManager: For some reason, nothing was logged here in between 22nd of last month and the 2nd of this month. All the logs I've checked here are from the two users I use myself.
This is where I'm a bit confused. Firstly, why are they all logged as "Remote Desktop Services" when I am logging into the accounts locally?

Secondly, why are logs missing for some dates? I've noticed a pattern of them missing on or around weekends. However, that is not always true. However, how are logs here between the evening of 22/03 and the morning of 02/04 non-existent? I also noticed this same gap from: 31st Jan to 7th Feb, Jan 11th to 16th and again from 16th to 23rd.

I also looked under :

Quote:
TerminalServices-RemoteConnectionManager: All the logs here seem to be from users SYSTEM and NETWORK SERVICE.
Like the previous one, logs are sometimes missing during the weekend period. Logs here seem to be missing between: 22/03 and 03/04, 30th Jan to 7th Feb, Jan 11th to 25th and then 25th to 30th. There's also no logs present between 7th Jan and 11th.


I'd really appreciate it if someone helped me understand these things better. I wish to find out if someone else has been accessing/using this machine remotely. Any help is greatly appreciated.


My System SpecsSystem Spec
.
05 Apr 2019   #2
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi MSKHAN,

Im not a Netwoking investigator, wait for Samuria sure he's got links to a couple of investigative tools
As your running Enterprise its possible your receiving data from its activation server, this will be done using permissions from those 2 Services.

Are you using a VPN.



Roy
My System SpecsSystem Spec
05 Apr 2019   #3
MSKHAN

Microsoft Windows 7 Enterprise 64-bit Service Pack 1
 
 

Quote   Quote: Originally Posted by torchwood View Post
Hi MSKHAN,

Im not a Netwoking investigator, wait for Samuria sure he's got links to a couple of investigative tools
As your running Enterprise its possible your receiving data from its activation server, this will be done using permissions from those 2 Services.

Are you using a VPN.



Roy
Hey Roy! Thanks for the response.

I hope Samuria will help shed more light on the matter.

I am running Win 7 Enterprise on a work laptop at home and using two accounts. One is a domain/user account and the other is a local admin account.

No, I am not using a VPN. I am connected to my home internet.
My System SpecsSystem Spec
.

05 Apr 2019   #4
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi MSKHAN,

In your case it will DEFINATELY talk to your companies server as your using a Domain profile, connected to them.

That does not explain the missing logs UNLESS there were rules set up by your companies IT dept BEFORE they gave you the comp.

Unfortunately we dont know what if any rules/restrictions they have put in place
AND we like all other forums have a Duty of Responsibility to them as well and as such we cant in all good faith make changes. Its a forum rule.

Have a chat with your IT Dept, and let them investigate


Roy
My System SpecsSystem Spec
05 Apr 2019   #5
MSKHAN

Microsoft Windows 7 Enterprise 64-bit Service Pack 1
 
 

Quote   Quote: Originally Posted by torchwood View Post
Hi MSKHAN,

In your case it will DEFINATELY talk to your companies server as your using a Domain profile, connected to them.

That does not explain the missing logs UNLESS there were rules set up by your companies IT dept BEFORE they gave you the comp.

Unfortunately we dont know what if any rules/restrictions they have put in place
AND we like all other forums have a Duty of Responsibility to them as well and as such we cant in all good faith make changes. Its a forum rule.

Have a chat with your IT Dept, and let them investigate


Roy
Oh! I am not looking to make any changes.

All the settings were pre-configured to abide by the IT policy the machine has to abide to.

As I've mentioned in the earlier posts, I am trying to understand the discrepancies and detect potential security problems. Not having the knowledge, I can't tell the difference between what's normal and what's a sign of a security compromise. For example, I'd like to know if a certain preset rule is stopping the logging or if a potential attacker has removed them. I don't see how that can't be discussed here in good faith.

In any case, I'd trust the moderators here to make that judgement and even delete the thread if needed.
My System SpecsSystem Spec
Reply

 Event Viewer: Who logged in? Why am I seeing myself as "remote"?




Thread Tools




Similar help and support threads
Thread Forum
Frequent system hangs, "atapi Event ID 11" in Event Viewer
Hi, I recently made some upgrades to a (previously fine) PC - they were - Installing 4GB extra RAM, of the same variety - Reinstalling windows on a new SSD (a Samsung SSD 850 EVO 500GB) I previously also upgraded to Windows 10, but a bunch of blue screens and other issues later I reinstalled...
Drivers
cannot start event viewer "Error code 1899"
Hi All, I've had an issue with Event viewer unable to start due to "endpoint mapper database entry could not be created" Error 1899. I have done a SFC and have had some but not all issues fixed, I have a log of the result and maybe could post if needed. I've also done a system restore to a...
Performance & Maintenance
Windows 7 x64 "Event Viewer has stopped working"
Whenever I launch Event Viewer, I get this message. Ditto when I try launching Computer Management. I sometimes get a message about Adding a snap-in to console. But it never works. I ran SFC SCANNOW and it fix some stuff requiring a restart and is running clean now. No improvement. I tried...
General Discussion
"Disk error" invisible except to event viewer, when imaging hard drive
My Windows 7 configuration is relatively bullet proof (ha ha, nervous laughter). My OS and programs are on C, which I image using RDriveImage every month after Patch Tuesday. My data is on software-mirrored D/F drives. So as long as I don't have a catastrophic event affecting my computer,...
Hardware & Devices
My result in the " event viewer " ... and theme problem
1- this is my result in event viewer http://img96.imageshack.us/img96/3197/26608902.png and all i can see is " warning " and " error " should i be worried ? and how can i solve the problems ? 2- i just changed my theme ... and the computer makes sound when i enter or exit a folder ......
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:16.
Twitter Facebook