Solved Unauthorized Access??? Help interpreting Event Viewer

G

gtalarico

New member
Member
Local time
11:55 PM
Messages
18
Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
 

My Computer

Computer Manufacturer/Model Number
Gateway Sx-2800
OS
Win 7 x64
gtalarico said:
Hi.

I just got home and found my computer turned on.
It had been in sleep mode for a few days..

The screen saver was on, and once I moved the mouse I had to enter the password to login.

What is driving me crazy is, something woke it up... And I don't know if someone accessed my files...
I am guessing it could be one of 3 things:

1-Someone or something moved the mouse or pressed a key.
2-Someone at my house tried to/accessed it.
3-Someone woke it by lan and accessed it remotely.
(I was/am worried about this one because I have Log Me In installed - but I checked the LMI log and it was clear).

I got home at 12:45 am. I checked the Event viewer and noticed that a login had happened at 11:50pm something.
The problem is, I did some tests and realized that just moving the mouse and waking up the computer (without entering password and access windows) causes the Event Viewer to add a "logon" event, even though access was never granted.

Could someone help me interpret these logs and tell me if the operating system was actually accessed between 11:59 and 12:40pm?
(I also have the detailed logs I could post... is it safe to share those?)


(these were mine: I got home at 12:45)
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4634 Logoff
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:49:59 AM Microsoft Windows security auditing. 4648 Logon


(All of these happened while I was away)
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon


PS: I am behind a router, Security Essentials and Win Firewall ON, and windows password is very safe (14 digits).
Click to expand...

You cant tell from just this log but I would not worry about it unless someone with physical access has your 14 digit password. It would take them years to break it.
 

My Computer

Computer Manufacturer/Model Number
HP Pavillion dv-7 1005 Tx
OS
Win 8 Release candidate 8400
CPU
[email protected]
Memory
4 gigs
Graphics Card(s)
Nvidia 9600M
Sound Card
HD built-in
Monitor(s) Displays
17" Wxga
Screen Resolution
1440x900
Cooling
none
Internet Speed
45Mb down 5Mb up
gtalarico said:
...
...



(All of these happened while I was away)
  1. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4672 Special Logon
  2. Audit Success 11/1/2011 12:10:00 AM Microsoft Windows security auditing. 4624 Logon
  3. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4905 Audit Policy Change
  4. Audit Success 11/1/2011 12:04:33 AM Microsoft Windows security auditing. 4904 Audit Policy Change
  5. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  6. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  7. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4672 Special Logon
  8. Audit Success 11/1/2011 12:04:08 AM Microsoft Windows security auditing. 4624 Logon
  9. Audit Success 11/1/2011 12:02:59 AM Microsoft Windows security auditing. 4616 Security State Change
  10. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4672 Special Logon
  11. Audit Success 11/1/2011 12:01:27 AM Microsoft Windows security auditing. 4624 Logon
  12. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  13. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  14. Audit Success 11/1/2011 12:00:13 AM Microsoft Windows security auditing. 4616 Security State Change
  15. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4672 Special Logon
  16. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4624 Logon
  17. Audit Success 11/1/2011 12:00:00 AM Microsoft Windows security auditing. 4648 Logon
  18. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4672 Special Logon
  19. Audit Success 10/31/2011 11:59:54 PM Microsoft Windows security auditing. 4624 Logon
Click to expand...
Reading from bottom (19) to top (1), this is what seems to have happened:

  • 19. to 15.: Windows Task Scheduler logs in using administrative rights.
  • 14. to 9.: Windows has synced the time, I'm not sure why it took four attempts.
  • 8. to 1.: Windows has added an event source to log (ID 4904) and removed it (ID 4905). Happens for instance when Task Scheduler kicks in to do a task which is then not needed / not done.
I would not worry, looks normal Windows background maintenance.

Kari
 

My Computer

Computer type
Laptop
Computer Manufacturer/Model Number
HP ENVY 17-1150eg
OS
Windows 10 Pro x64 EN-GB
CPU
1.6 GHz Intel Core i7-720QM Processor
Memory
6 GB
Graphics Card(s)
ATI Mobility Radeon HD 5850 Graphics
Sound Card
Beats sound system with integrated subwoofer
Monitor(s) Displays
17" laptop display, 22" LED and 32" Full HD TV through HDMI
Screen Resolution
1600*900 (1), 1920*1080 (2&3)
Hard Drives
Internal: 2 x 500 GB SATA Hard Disk Drive 7200 rpm
External: 2TB for backups, 3TB USB3 network drive for media
Cooling
As Envy runs a bit warm, I have it on a Cooler Master pad
Keyboard
Logitech diNovo Media Desktop Laser (bluetooth)
Mouse
Logitech Performance Mouse MX
Internet Speed
50/10 Mbps VDSL
Antivirus
Windows Defender 4.3.9431.0
Browser
Maxthon 3.5.2., IE11
Thanks for your help.

So can Task Scheduler wake the computer up from sleep?
If not, then I will just have to move on with my life, never knowing what woke my computer up...
(sneaky roommate, ghost, evil spirits, mouse ?)

At least I feel better knowing the system wasn't accessed.
 

My Computer

Computer Manufacturer/Model Number
Gateway Sx-2800
OS
Win 7 x64
:D

Problem solved!!!

Kari, you are my hero for mentioning the Task Scheduler.

I decided to investigate that and I found an entry that my back up program created (see image)

Conclusion: The Task Scheduler CAN and WILL wake the computer up!

(I am very curious to how it actually manages to do that!!!:sarc:)
(Also noticed it started 6 seconds BEFORE the actual time... the description of one of
"policy change" events mentioned something about adjusting clock... :rolleyes:)

Thanks again all of you for your help!

 

My Computer

Computer Manufacturer/Model Number
Gateway Sx-2800
OS
Win 7 x64

My Computer

Computer type
Laptop
Computer Manufacturer/Model Number
HP ENVY 17-1150eg
OS
Windows 10 Pro x64 EN-GB
CPU
1.6 GHz Intel Core i7-720QM Processor
Memory
6 GB
Graphics Card(s)
ATI Mobility Radeon HD 5850 Graphics
Sound Card
Beats sound system with integrated subwoofer
Monitor(s) Displays
17" laptop display, 22" LED and 32" Full HD TV through HDMI
Screen Resolution
1600*900 (1), 1920*1080 (2&3)
Hard Drives
Internal: 2 x 500 GB SATA Hard Disk Drive 7200 rpm
External: 2TB for backups, 3TB USB3 network drive for media
Cooling
As Envy runs a bit warm, I have it on a Cooler Master pad
Keyboard
Logitech diNovo Media Desktop Laser (bluetooth)
Mouse
Logitech Performance Mouse MX
Internet Speed
50/10 Mbps VDSL
Antivirus
Windows Defender 4.3.9431.0
Browser
Maxthon 3.5.2., IE11
You must log in or register to reply here.
Back
Top