Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
-
impossible
Извън линия - Потребител
- Мнения: 488
- Регистриран на: 15 Юни 2019, 12:41
- Се отблагодари: 23 пъти
- Получена благодарност: 47 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Та реших да си преинсталирам компютъра понеже от известно време крашва
Последно промяна от illusion на 05 Ное 2020, 14:44, променено общо 1 път.
Причина: Темата е преместена в правилният раздел.
Причина: Темата е преместена в правилният раздел.
-
illusion
Извън линия - Developer
- Мнения: 1796
- Регистриран на: 27 Ное 2016, 17:47
- Местоположение: CraftVision
- Се отблагодари: 151 пъти
- Получена благодарност: 358 пъти
- Обратна връзка:
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Как така крашва? Няма как е така да си крашва и да е от Windows.. Кажи с какви характеристики си на компютъра (CPU, GPU, RAM)
Windows 10 го свали от официалният сайт на Microsoft - https://go.microsoft.com/fwlink/?LinkId=691209. От инсталатора можеш да си избереш дали да го инсталираш на компютъра ти или да го качиш на флашка примерно.
Windows 10 го свали от официалният сайт на Microsoft - https://go.microsoft.com/fwlink/?LinkId=691209. От инсталатора можеш да си избереш дали да го инсталираш на компютъра ти или да го качиш на флашка примерно.
-
impossible
Извън линия - Потребител
- Мнения: 488
- Регистриран на: 15 Юни 2019, 12:41
- Се отблагодари: 23 пъти
- Получена благодарност: 47 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
В момента съм с Windows7 както знаете вече не се поддържа.
Ами проблема е следния: както си цъкам нещо примерно цс и изведнъж крашва, замръзва екрана след което го рестартирам няколко пъти но монитора не светва след това го изключвам от захранването и го включвам отново и стартира на работния плод но иконите изчезват и пак крашва не можеш да кликнеш никъде и се появява син екран да разбирам, че това е един вид защитна реакция да не изгори нещо!?
Помислих си, че проблема идва от Драйвърите на видеото ъпдейтнах ги от сайта на AMD.COM
Но пак същото помислих си, че проблема може да идва от това че нещо последната версия на драйвърите причинява проблема
След това имам на диск старите драйвъри инсталирах ги да видя с тях как ще се държи но уви пак краш.
виждам, че и други хора са имали подобен проблем https://forums.softvisia.com/index.php/ ... %B2%D0%B8/
Това изписва в Event Logs
Иначе това са параметрите на компютъра:
/* *************************************************** **************************************************** */
->
->
->
->
->
->
->
->
->
->
/* *************************************************** **************************************************** */
--------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> /* *************************************************** **************************************************** */
Ами проблема е следния: както си цъкам нещо примерно цс и изведнъж крашва, замръзва екрана след което го рестартирам няколко пъти но монитора не светва след това го изключвам от захранването и го включвам отново и стартира на работния плод но иконите изчезват и пак крашва не можеш да кликнеш никъде и се появява син екран да разбирам, че това е един вид защитна реакция да не изгори нещо!?
Помислих си, че проблема идва от Драйвърите на видеото ъпдейтнах ги от сайта на AMD.COM
Но пак същото помислих си, че проблема може да идва от това че нещо последната версия на драйвърите причинява проблема
След това имам на диск старите драйвъри инсталирах ги да видя с тях как ще се държи но уви пак краш.
виждам, че и други хора са имали подобен проблем https://forums.softvisia.com/index.php/ ... %B2%D0%B8/
Това изписва в Event Logs
Код за потвърждение: Избери целия код
Log Name Event Type Category Generated On User Source Description
Application Error None 2020-10-29 17:25:56 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-29 17:30:02 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 17:30:02 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 18:59:39 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-29 19:02:46 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 19:02:46 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 19:53:30 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-29 19:58:28 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 19:58:28 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-29 21:44:13 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 9 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1948 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1948 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1948 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1568 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
Application Warning None 2020-10-29 21:44:14 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000_Classes: Process 1948 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000_CLASSES
Application Error None 2020-10-29 21:46:55 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-29 21:51:57 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 21:51:58 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-29 22:15:11 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1364 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1364 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
Application Error None 2020-10-29 22:17:48 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-29 22:20:53 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 22:20:53 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-29 22:52:35 Microsoft-Windows-Defrag 257: Òîìúò (C:) íå å äåôðàãìåíòèðàí, òúé êàòî âúçíèêíà ãðåøêà: Îïòèìèçèðàíåòî íà çàðåæäàíåòî íå ìîæå äà çàâúðøè ïîðàäè ëèïñà íà ñâîáîäíî ìÿñòî. (0x89000019)
Application Warning None 2020-10-30 01:18:12 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 6 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1616 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main
Application Error None 2020-10-30 10:30:27 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-30 10:35:13 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-30 10:35:13 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-30 11:52:47 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 13 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer Process 1584 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
Application Error None 2020-10-30 11:55:27 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-30 11:59:03 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-30 11:59:03 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-30 12:06:57 Steam Client Service 2: Warning: Updated file "secure_desktop_capture.exe" from version 0x000600070057000f to version 0x0006000c00570000.
Application Warning None 2020-10-30 12:06:57 Steam Client Service 2: Warning: Updated file "drivers.exe" from version 0x0001000000000001 to version 0x0006000000340023.
Application Warning None 2020-10-30 12:06:57 Steam Client Service 2: Warning: Updated file "SteamService.dll" from version 0x000600070057000f to version 0x0006000c00570000.
Application Warning None 2020-10-30 12:38:49 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 3 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1548 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1548 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 4252 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Application Error None 2020-10-30 12:41:26 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-30 12:45:00 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-30 12:45:00 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-30 13:06:39 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1612 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1612 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
Application Error None 2020-10-30 13:09:11 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-30 13:13:25 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-30 13:13:25 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-30 19:37:22 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 7 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1492 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Application Error None 2020-10-30 19:40:03 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-30 19:43:35 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-30 19:43:35 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-10-31 00:01:20 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 11 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1544 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
Application Error None 2020-10-31 19:35:03 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-10-31 19:39:34 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-10-31 19:39:34 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-11-01 01:49:16 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 5 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1572 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1572 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1572 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1572 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1572 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Application Error None 2020-11-01 11:12:06 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-01 11:15:18 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 11:15:18 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 14:03:20 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-01 14:06:36 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 14:06:36 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 14:52:11 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-01 14:55:17 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 14:55:17 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 16:06:19 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-01 16:11:14 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-01 16:11:14 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-11-01 23:43:47 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 11 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1540 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
Application Error None 2020-11-02 08:38:55 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-02 08:42:37 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-02 08:42:37 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-02 09:43:23 Microsoft-Windows-Defrag 257: Òîìúò (C:) íå å äåôðàãìåíòèðàí, òúé êàòî âúçíèêíà ãðåøêà: Îïòèìèçèðàíåòî íà çàðåæäàíåòî íå ìîæå äà çàâúðøè ïîðàäè ëèïñà íà ñâîáîäíî ìÿñòî. (0x89000019)
Application Warning None 2020-11-03 00:24:00 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 12 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer Process 1576 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
Application Error None 2020-11-03 19:39:26 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-03 19:42:52 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-03 19:42:52 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-11-03 21:30:49 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 9 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1560 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1772 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1772 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1772 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1772 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1560 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1560 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1560 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1560 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Application Warning None 2020-11-03 21:30:50 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000_Classes: Process 1772 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\aswToolsSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000_CLASSES
Application Error None 2020-11-04 16:33:23 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-04 16:38:04 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-04 16:38:04 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-04 17:02:58 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-04 17:06:23 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Error None 2020-11-04 17:06:23 SYSTEM Microsoft-Windows-LoadPerf 3006: Unable to read the performance counter strings defined for the 002 language ID. The first DWORD in the Data section contains the Win32 error code.
Application Warning None 2020-11-05 01:30:44 SYSTEM Microsoft-Windows-User Profiles Service 1530: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 7 user registry handles leaked from \Registry\User\S-1-5-21-4015017734-987073429-1860001923-1000: Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000 Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Internet Explorer\Main Process 1700 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-4015017734-987073429-1860001923-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Application Error None 2020-11-05 10:10:48 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error None 2020-11-05 11:05:25 Microsoft-Windows-Defrag 257: Òîìúò (C:) íå å äåôðàãìåíòèðàí, òúé êàòî âúçíèêíà ãðåøêà: Îïòèìèçèðàíåòî íà çàðåæäàíåòî íå ìîæå äà çàâúðøè ïîðàäè ëèïñà íà ñâîáîäíî ìÿñòî. (0x89000019)
Application Error None 2020-11-05 13:51:58 WinMgmt 10: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Application Error 100 2020-11-05 14:04:12 Application Error 1000: Èìå íà ïðèëîæåíèå ñ ãðåøêè: Dwm.exe, âåðñèÿ: 6.1.7600.16385, âðåìåâî êëåéìî: 0x4a5bc541 Èìå íà ìîäóë ñ ãðåøêè: msvcrt.dll, âåðñèÿ: 7.0.7601.17744, âðåìåâî êëåéìî: 0x4eeb033f Êîä íà èçêëþ÷åíèå: 0xc00000fd Îòìåñòâàíå íà ãðåøêà: 0x00000000000158ba ÈÄ íà ïðîöåñ íà ãðåøêà: 0x7a4 Íà÷àëåí ÷àñ íà ïðèëîæåíèåòî ñ ãðåøêè: 0x01d6b369e06af6b2 Ïúò íà ïðèëîæåíèåòî ñ ãðåøêè: C:\Windows\system32\Dwm.exe Ïúò íà ìîäóëà ñ ãðåøêè: C:\Windows\system32\msvcrt.dll ÈÄ íà äîêëàä: 040ee740-1f5f-11eb-82f9-7085c2348f8a
Security Audit Success 12288 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 17:24:17 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xba49
Security Audit Success 12544 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 17:24:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 17:24:21 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-29 17:24:21 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 17:24:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1bbab Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:24:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1bbd4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:24:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1bbab Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 17:24:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:24:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 17:24:43 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 17:24:44 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 17:24:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:24:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 17:25:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4ef46 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 17:26:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:26:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 17:27:00 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 17:27:00 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 17:27:11 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 17:27:11 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 17:28:11 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 17:28:11 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 17:29:15 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:29:15 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 17:51:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 17:51:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 18:11:14 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:11:14 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 18:58:10 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb257
Security Audit Success 12544 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 18:58:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-10-29 18:58:12 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12290 2020-10-29 18:58:15 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-29 18:58:18 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 18:58:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1de60 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:58:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1dea6 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:58:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1de60 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 18:58:25 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:58:25 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 18:58:27 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 18:58:29 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 18:58:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:58:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 18:58:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x42a04 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 18:59:48 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 18:59:48 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 19:00:27 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:00:27 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 19:00:47 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:00:47 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 19:00:58 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:00:58 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 19:01:59 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:01:59 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 19:14:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:14:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-10-29 19:23:46 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 19:23:46 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 13568 2020-10-29 19:23:47 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xd518
Security Audit Success 12544 2020-10-29 19:23:48 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:23:48 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:23:48 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 19:23:48 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 19:23:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 19:23:52 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 101 2020-10-29 19:23:57 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-10-29 19:24:02 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:24:02 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 19:24:04 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 19:24:06 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 19:24:06 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2c8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 19:24:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x252ca Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:24:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x25307 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:24:06 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x252ca Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 19:24:24 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:24:24 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-10-29 19:51:50 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 19:51:50 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:51:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:51:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:51:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 19:51:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 19:51:51 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xc9ae
Security Audit Success 12544 2020-10-29 19:51:52 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:51:52 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 19:51:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:51:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:51:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 19:51:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 19:51:55 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-29 19:52:00 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 19:52:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1ef85 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:52:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1f043 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:52:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1ef85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-10-29 19:52:03 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-10-29 19:52:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:52:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 19:52:12 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 19:52:14 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 19:52:27 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:52:27 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 19:52:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4d4bd Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 19:53:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:53:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 19:54:29 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:54:29 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 19:54:39 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:54:39 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 19:55:40 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:55:40 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 19:56:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:56:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 19:56:46 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:56:46 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 19:57:21 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 19:57:21 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 19:58:15 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 19:58:15 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 20:17:09 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 20:17:09 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 20:17:10 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 20:17:10 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 21:37:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:37:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:37:46 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:37:46 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 21:38:16 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x11d0 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x598df4
Security Audit Success 13568 2020-10-29 21:38:16 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x11d0 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x598df4
Security Audit Success 12544 2020-10-29 21:38:39 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:38:39 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13826 2020-10-29 21:40:18 Microsoft-Windows-Security-Auditing 4734: A security-enabled local group was deleted. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4015017734-987073429-1860001923-1001 Group Name: AMD FUEL Group Domain: ilia-PC Additional Information: Privileges: -
Security Audit Success 12545 2020-10-29 21:44:13 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1f043 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-10-29 21:44:24 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-29 21:45:13 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 21:45:13 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 13568 2020-10-29 21:45:14 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb47c
Security Audit Success 12544 2020-10-29 21:45:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 21:45:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:45:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 21:45:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 21:45:19 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 21:45:23 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-29 21:45:26 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 21:45:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c2d2 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 21:45:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c304 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:45:26 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c2d2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:45:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:45:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 21:45:39 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 21:45:41 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 21:45:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:45:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:46:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x46a74 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 21:47:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:47:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:48:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:48:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 21:49:45 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 21:49:45 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 21:49:57 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 21:49:57 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 21:50:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:50:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:50:27 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:50:27 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 21:50:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:50:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 21:50:58 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 21:50:58 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 21:52:29 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:52:29 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 21:52:44 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x364 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x185669
Security Audit Success 13568 2020-10-29 21:52:44 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x364 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x185669
Security Audit Success 13568 2020-10-29 21:53:59 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x364 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x1cc28d
Security Audit Success 13568 2020-10-29 21:53:59 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x364 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x1cc28d
Security Audit Success 12544 2020-10-29 21:56:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 21:56:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:06:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 22:06:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:06:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 22:06:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:06:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:06:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-29 22:07:44 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0xb0c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x2f1f7f
Security Audit Success 13568 2020-10-29 22:07:44 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0xb0c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x2f1f7f
Security Audit Success 12545 2020-10-29 22:15:11 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c304 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-10-29 22:15:20 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-29 22:16:17 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-29 22:16:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 13568 2020-10-29 22:16:17 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xaa3f
Security Audit Success 12544 2020-10-29 22:16:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:19 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:16:20 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:20 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-29 22:16:22 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:16:23 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-29 22:16:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cb3a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 22:16:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cb63 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cb3a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:16:25 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:25 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-29 22:16:37 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-29 22:16:41 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-29 22:16:44 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:16:44 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:17:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x6777d Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-29 22:18:12 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:18:12 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-29 22:19:06 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 22:19:06 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 22:19:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 22:19:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-29 22:20:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-29 22:20:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-29 22:20:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:20:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:42:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:42:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:52:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:52:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:52:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:52:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-29 22:53:25 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-29 22:53:25 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 00:08:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 00:08:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 00:08:26 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 00:08:26 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 01:18:12 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12545 2020-10-30 01:18:12 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cb63 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 12548 2020-10-30 01:18:12 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 103 2020-10-30 01:19:17 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 10:28:55 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb48b
Security Audit Success 12544 2020-10-30 10:28:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:28:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c980 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c9ed Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 10:28:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c980 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 10:29:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:29:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-30 10:29:15 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-30 10:29:15 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-30 10:29:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:29:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 10:29:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x47699 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 10:30:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:30:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 10:31:50 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 10:31:50 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 10:32:02 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 10:32:02 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 10:33:03 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 10:33:03 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 10:35:33 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 10:35:33 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-30 10:42:41 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 10:42:41 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:32:22 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:32:22 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:48:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:48:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:48:24 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 11:48:24 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:48:24 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 11:48:24 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 11:50:02 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1b68 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6bd864
Security Audit Success 13568 2020-10-30 11:50:02 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1b68 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6bd864
Security Audit Success 12545 2020-10-30 11:52:47 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c9ed This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-10-30 11:52:56 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-30 11:53:58 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-30 11:53:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 13568 2020-10-30 11:53:58 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xaf75
Security Audit Success 12544 2020-10-30 11:54:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 11:54:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:54:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 11:54:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 11:54:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 11:54:04 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-30 11:54:04 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x35c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-30 11:54:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d5b4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x35c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 11:54:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d5de Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x35c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:54:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d5b4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:54:07 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:54:07 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-30 11:54:12 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12544 2020-10-30 11:54:15 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:54:15 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 11:54:27 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4a06c Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12292 2020-10-30 11:54:28 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-30 11:55:25 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:55:25 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 11:57:02 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 11:57:02 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 11:57:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 11:57:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 11:58:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 11:58:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-30 11:58:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 11:58:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:17:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:17:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:17:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:17:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:28:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:28:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:28:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 12:28:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:28:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:28:32 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 12:29:00 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1c70 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x47c084
Security Audit Success 13568 2020-10-30 12:29:00 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1c70 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x47c084
Security Audit Success 13568 2020-10-30 12:30:56 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1c70 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x54c907
Security Audit Success 13568 2020-10-30 12:30:56 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1c70 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x54c907
Security Audit Success 12544 2020-10-30 12:37:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:37:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:37:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 12:37:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 12:37:39 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1e28 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6bb74e
Security Audit Success 13568 2020-10-30 12:37:39 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1e28 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6bb74e
Security Audit Success 12544 2020-10-30 12:38:44 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:38:44 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12545 2020-10-30 12:38:49 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d5de This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 12544 2020-10-30 12:38:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:38:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 103 2020-10-30 12:38:57 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 12:40:01 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb314
Security Audit Success 12544 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 12:40:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 12:40:04 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-30 12:40:04 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-30 12:40:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d127 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:40:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d1c1 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:40:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d127 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:40:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:40:06 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-30 12:40:10 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-30 12:40:15 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-30 12:40:27 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:40:27 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 12:41:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5c719 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 12:42:12 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 12:42:12 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 12:42:59 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 12:42:59 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 12:43:09 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 12:43:09 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 12:44:10 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 12:44:10 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 12:52:33 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 12:52:33 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 12:53:43 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 12:53:43 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12545 2020-10-30 13:06:39 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d1c1 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-10-30 13:06:45 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-30 13:07:42 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-30 13:07:42 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:43 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:43 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:07:43 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 13:07:43 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 13:07:43 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa51b
Security Audit Success 12290 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x394 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x17541 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x394 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1756a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x394 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 13:07:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x17541 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 13:07:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:07:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-30 13:07:49 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-30 13:07:49 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-30 13:07:50 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:07:50 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 13:08:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x33b22 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 13:09:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:09:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 13:10:59 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 13:10:59 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 13:11:13 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 13:11:13 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 13:12:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 13:12:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-30 13:12:25 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:12:25 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 13:48:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:48:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 13:48:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:48:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 13:48:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 13:48:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 18:00:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 18:00:36 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 18:16:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 18:16:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:19:15 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:19:15 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:19:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:19:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:30:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:30:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:31:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:31:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:31:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:31:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2c0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:31:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 19:31:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 19:33:53 Microsoft-Windows-Security-Auditing 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1fd0 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0xaa241f
Security Audit Success 13568 2020-10-30 19:33:53 Microsoft-Windows-Security-Auditing 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1fd0 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0xaa241f
Security Audit Success 12545 2020-10-30 19:37:22 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1756a This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-10-30 19:37:36 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-30 19:38:38 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb3ab
Security Audit Success 12544 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 19:38:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 19:38:41 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-30 19:38:41 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x368 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-30 19:38:41 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d70f Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x368 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:38:41 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d738 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x368 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:38:41 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d70f Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:38:43 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:38:43 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-30 19:38:46 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-30 19:38:46 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-30 19:38:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:38:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:38:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4e72a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 19:40:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:40:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 19:41:05 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 19:41:05 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 19:41:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 19:41:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 19:42:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 19:42:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-30 19:42:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:42:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 19:53:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 19:53:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 20:06:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 20:06:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 20:17:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 20:17:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 20:36:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 20:36:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 20:59:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 20:59:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 21:40:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 21:40:10 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 22:20:09 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-30 22:20:09 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 22:20:09 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-30 22:20:09 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-30 22:20:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 22:20:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 22:56:13 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 22:56:13 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-30 23:01:14 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-30 23:01:14 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-30 23:01:40 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 23:01:40 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-30 23:02:15 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-30 23:02:15 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-31 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-31 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12545 2020-10-31 00:01:20 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d738 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 12544 2020-10-31 00:01:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 00:01:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 103 2020-10-31 00:01:26 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-10-31 19:33:31 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb5b4
Security Audit Success 12290 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-31 19:33:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-31 19:33:34 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-10-31 19:33:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d04b Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:33:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d074 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:33:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d04b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-31 19:33:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:33:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-10-31 19:33:37 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-10-31 19:33:37 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-10-31 19:33:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:33:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-31 19:33:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4a957 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 19:34:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:34:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-10-31 19:36:11 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-31 19:36:11 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-31 19:36:22 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-31 19:36:22 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-10-31 19:37:22 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-10-31 19:37:22 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-10-31 19:38:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 19:38:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-31 20:34:07 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-10-31 20:34:07 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 20:34:07 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-10-31 20:34:07 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-10-31 21:38:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-10-31 21:38:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 01:49:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12545 2020-11-01 01:49:16 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d074 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 12548 2020-11-01 01:49:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 103 2020-11-01 01:49:21 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-01 11:10:36 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb5cc
Security Audit Success 12544 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 11:10:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 11:10:39 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-01 11:10:39 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-01 11:10:39 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cf71 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:10:39 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cf9a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:10:39 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cf71 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 11:10:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:10:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-01 11:10:42 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-01 11:10:42 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-01 11:10:48 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:10:48 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 11:11:02 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x509b5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 11:12:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 11:12:06 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 11:13:28 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 11:13:28 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 11:13:39 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 11:13:39 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 11:14:39 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 11:14:39 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12288 2020-11-01 11:16:58 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x494 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-01T09:16:58.068558400Z New Time: 2020-11-01T09:16:58.067000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12544 2020-11-01 12:11:12 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 12:11:12 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 12:11:13 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 12:11:13 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 13:31:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 13:31:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 13:57:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 13:57:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-01 14:01:52 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xbbf4
Security Audit Success 12290 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:01:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 14:01:55 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-01 14:01:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d552 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:01:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d5a9 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:01:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d552 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 14:01:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:01:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-01 14:01:58 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-01 14:01:59 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-01 14:01:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:01:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-11-01 14:02:01 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-11-01 14:02:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x51146 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:03:26 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:03:26 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 14:04:08 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:04:08 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 14:04:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:04:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12288 2020-11-01 14:05:19 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x490 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-01T12:05:19.633816500Z New Time: 2020-11-01T12:05:19.633000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12290 2020-11-01 14:05:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:05:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 14:11:34 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:11:34 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-01 14:13:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:13:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 14:44:29 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:44:29 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-01 14:50:53 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-01 14:50:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:50:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:50:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-01 14:50:54 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xc640
Security Audit Success 12290 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d965 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d9ed Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 14:50:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d965 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 14:50:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:50:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-01 14:51:01 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-01 14:51:01 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-01 14:51:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:51:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-11-01 14:51:10 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-11-01 14:51:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x54c14 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 14:52:13 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 14:52:13 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 14:53:03 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:53:03 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 14:53:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:53:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 14:54:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 14:54:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12288 2020-11-01 14:57:27 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x488 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-01T12:57:27.914797000Z New Time: 2020-11-01T12:57:27.914000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12544 2020-11-01 15:27:48 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 15:27:48 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 15:27:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 15:27:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 15:55:15 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 15:55:15 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-01 16:04:51 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xc528
Security Audit Success 12544 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-01 16:04:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 16:04:54 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-01 16:04:54 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-01 16:04:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1dd5d Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:04:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1dd86 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:04:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1dd5d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 16:04:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:04:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-01 16:04:58 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-01 16:04:58 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-01 16:04:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:04:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-11-01 16:05:00 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-11-01 16:05:29 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5324e Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-01 16:06:24 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:06:24 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 16:06:30 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:06:30 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-01 16:07:08 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 16:07:08 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 16:07:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 16:07:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-01 16:08:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 16:08:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12288 2020-11-01 16:10:18 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x490 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-01T14:10:18.863632800Z New Time: 2020-11-01T14:10:18.863000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12290 2020-11-01 16:12:35 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-01 16:12:35 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-01 16:41:30 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:41:30 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 16:41:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:41:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 16:55:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 16:55:32 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 17:51:13 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 17:51:13 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 18:08:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 18:08:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 18:29:29 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 18:29:29 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 18:59:39 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 18:59:39 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 19:20:34 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 19:20:34 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 19:33:49 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 19:33:49 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 21:24:05 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-01 21:24:05 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-01 23:43:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12545 2020-11-01 23:43:47 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1dd86 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 12548 2020-11-01 23:43:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 103 2020-11-01 23:43:52 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-02 08:37:35 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb51b
Security Audit Success 12544 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-02 08:37:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-02 08:37:38 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-02 08:37:38 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-02 08:37:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cf7d Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:37:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cfa6 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:37:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cf7d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 08:37:39 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:37:39 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-02 08:37:41 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-02 08:37:41 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-02 08:37:42 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:37:42 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 08:37:52 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x49838 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 08:38:58 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:38:58 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-02 08:39:41 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 08:39:41 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-02 08:39:52 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 08:39:52 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-02 08:40:52 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 08:40:52 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-02 08:41:47 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 08:41:47 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-02 08:43:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:43:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 08:44:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 08:44:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-02 08:44:59 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x48c Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-02T06:44:56.902767300Z New Time: 2020-11-02T06:44:59.735542700Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12288 2020-11-02 08:44:59 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x48c Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-02T06:44:59.754542700Z New Time: 2020-11-02T06:44:59.754000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12288 2020-11-02 08:44:59 Microsoft-Windows-Security-Auditing 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x48c Name: C:\Windows\System32\svchost.exe Previous Time: 2020-11-02T06:44:59.762000400Z New Time: 2020-11-02T06:44:59.762000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Security Audit Success 12544 2020-11-02 09:12:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 09:12:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 09:37:02 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 09:37:02 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 09:47:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-02 09:47:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 09:47:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-02 09:47:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-02 14:27:53 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 14:27:53 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-02 22:23:11 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 22:23:11 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-02 22:26:42 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-02 22:26:42 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-02 22:27:07 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-02 22:27:07 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12545 2020-11-03 00:24:00 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1cfa6 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-11-03 00:24:07 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-03 19:37:57 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb5a2
Security Audit Success 12544 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-03 19:37:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-03 19:38:00 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-03 19:38:00 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-03 19:38:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d086 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:38:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d0e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:38:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d086 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 19:38:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:38:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-03 19:38:02 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-03 19:38:03 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-03 19:38:03 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:38:03 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 19:38:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5d0ca Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-03 19:39:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:39:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-03 19:41:04 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-03 19:41:04 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12292 2020-11-03 19:41:15 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-03 19:41:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12290 2020-11-03 19:42:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-03 19:42:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-03 19:43:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 19:43:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 20:23:31 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 20:23:31 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 20:23:44 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 20:23:44 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 20:23:46 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 20:23:46 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 21:23:07 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 21:23:07 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-03 21:29:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-03 21:29:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12545 2020-11-03 21:30:49 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d0e4 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-11-03 21:30:56 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-11-04 16:31:56 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-04 16:31:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 16:31:56 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:31:56 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-04 16:31:56 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb515
Security Audit Success 12544 2020-11-04 16:31:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:31:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-04 16:31:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-04 16:32:00 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-04 16:32:00 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-04 16:32:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c90e Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 16:32:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c962 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:32:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c90e Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 16:32:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:32:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-04 16:32:05 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-04 16:32:05 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-04 16:32:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:32:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 16:32:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x44bbf Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 16:33:40 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:33:40 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-04 16:35:02 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 16:35:02 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 16:35:13 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 16:35:13 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 16:36:14 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 16:36:14 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-04 16:37:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 16:37:06 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-04 17:01:29 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-04 17:01:29 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:01:30 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:01:30 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:01:30 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-04 17:01:30 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-04 17:01:30 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb685
Security Audit Success 12544 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-04 17:01:32 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-04 17:01:33 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-04 17:01:33 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-04 17:01:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d92a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:01:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d953 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:01:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d92a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 101 2020-11-04 17:01:38 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12544 2020-11-04 17:01:38 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:01:38 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-04 17:01:39 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-04 17:01:40 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-04 17:01:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:01:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 17:02:08 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4b997 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-04 17:02:57 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:02:57 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-04 17:04:09 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 17:04:09 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 17:04:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 17:04:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 17:05:19 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 17:05:19 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-04 17:05:59 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:05:59 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 17:42:16 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:42:16 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 17:42:17 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 17:42:17 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-04 18:35:04 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-04 18:35:04 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-04 21:52:20 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 21:52:20 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 21:53:15 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 21:53:15 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-04 21:53:30 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-04 21:53:30 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-05 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 00:00:00 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 00:00:00 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 01:22:08 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 01:22:08 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12545 2020-11-05 01:30:44 Microsoft-Windows-Security-Auditing 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1d953 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Security Audit Success 103 2020-11-05 01:30:55 Microsoft-Windows-Eventlog 1100: The event logging service has shut down.
Security Audit Success 12288 2020-11-05 10:09:18 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-05 10:09:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:09:18 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:09:18 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-05 10:09:18 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb3c8
Security Audit Success 12544 2020-11-05 10:09:19 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:09:19 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c900 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c929 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3bc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 10:09:21 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1c900 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 10:09:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:09:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-05 10:09:24 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 12292 2020-11-05 10:09:32 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-05 10:09:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:09:36 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 10:10:14 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5a51e Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 10:11:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:11:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-05 10:12:13 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 10:12:13 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 10:12:23 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 10:12:23 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 10:13:24 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 10:13:24 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-05 10:15:45 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:15:45 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 10:59:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 10:59:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 11:09:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 11:09:54 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 11:09:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 11:09:54 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-05 11:35:35 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 11:35:35 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 11:39:59 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 11:39:59 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 11:49:16 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 11:49:16 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-05 11:54:47 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 11:54:47 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12288 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Security Audit Success 12544 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 13568 2020-11-05 13:50:33 Microsoft-Windows-Security-Auditing 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb9c1
Security Audit Success 12290 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 5056: A cryptographic self test was performed. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Module: ncrypt.dll Return Code: 0x0
Security Audit Success 12544 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12548 2020-11-05 13:50:35 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 13:50:36 Microsoft-Windows-Security-Auditing 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ilia Account Domain: ilia-PC Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Security Audit Success 12544 2020-11-05 13:50:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1ce47 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:50:36 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1ce70 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3b4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ILIA-PC Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:50:36 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4015017734-987073429-1860001923-1000 Account Name: ilia Account Domain: ilia-PC Logon ID: 0x1ce47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 13:50:37 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:50:37 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12292 2020-11-05 13:50:39 Microsoft-Windows-Security-Auditing 5033: The Windows Firewall Driver started successfully.
Security Audit Success 101 2020-11-05 13:50:41 Microsoft-Windows-Eventlog 1101: Audit events have been dropped by the transport. 0
Security Audit Success 12292 2020-11-05 13:50:54 Microsoft-Windows-Security-Auditing 5024: The Windows Firewall service started successfully.
Security Audit Success 12544 2020-11-05 13:50:55 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:50:55 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 13:51:06 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x55c87 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12544 2020-11-05 13:52:01 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 13:52:01 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-05 13:52:52 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 13:52:52 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 13:53:02 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 13:53:02 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 13:54:02 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 13:54:02 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: {38DAB204-F4DC-4A28-ADFE-6AD8E246920F} Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\68e93f6a58fa6d8383e413e60df8a160_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12290 2020-11-05 14:03:55 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 14:03:55 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
Security Audit Success 12544 2020-11-05 14:04:12 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 14:04:12 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 14:29:23 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 14:29:23 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 14:42:10 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 14:42:10 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12544 2020-11-05 14:42:11 Microsoft-Windows-Security-Auditing 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ILIA-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Security Audit Success 12548 2020-11-05 14:42:11 Microsoft-Windows-Security-Auditing 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
Security Audit Success 12290 2020-11-05 15:35:27 Microsoft-Windows-Security-Auditing 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
Security Audit Success 12292 2020-11-05 15:35:27 Microsoft-Windows-Security-Auditing 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: %%2432 Key Name: 38d8ca50-6280-41e6-83ed-2dc3ed904b29 Key Type: %%2499 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\214c0f4ee3df86972f99e91643b5bca6_1344f069-8be5-40af-a4cc-5a6cdd48302e Operation: %%2458 Return Code: 0x0
System Error None 2020-10-29 17:26:14 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-29 18:58:11 EventLog 6008: The previous system shutdown at 18:15:02 ÷. on ?29.?10.?2020 ?ã. was unexpected.
System Error None 2020-10-29 18:59:39 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-29 19:23:49 EventLog 6008: The previous system shutdown at 19:21:55 ÷. on ?29.?10.?2020 ?ã. was unexpected.
System Error None 2020-10-29 19:51:53 EventLog 6008: The previous system shutdown at 19:24:34 ÷. on ?29.?10.?2020 ?ã. was unexpected.
System Error None 2020-10-29 19:53:34 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Warning None 2020-10-29 21:44:27 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-29 21:44:27 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-29 21:47:19 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-29 21:48:52 WMPNetworkSvc 14332: Óñëóãàòà "WMPNetworkSvc" íå å ñòàðòèðàíà ïðàâèëíî, ïîíåæå CoCreateInstance(CLSID_UPnPDeviceFinder) îòêðè ãðåøêà "0x80004005". Óâåðåòå ñå, ÷å ñå èçïúëíÿâà óñëóãàòà UPnPHost è ÷å êîìïîíåíòúò UPnPHost íà Windows å èíñòàëèðàí ïðàâèëíî.
System Warning None 2020-10-29 22:15:23 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-29 22:15:23 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-29 22:18:06 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-29 22:22:36 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-29 22:22:37 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-10-30 01:19:18 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-30 01:19:18 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-30 10:30:24 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-30 10:35:16 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 10:35:17 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 10:57:00 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 10:57:00 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 11:39:38 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 11:39:38 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 11:52:05 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Warning None 2020-10-30 11:52:59 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-30 11:52:59 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-30 11:54:14 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-10-30 11:55:23 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-30 12:01:44 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 12:01:45 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 12:06:56 Service Control Manager 7009: Èçòåêúë ïåðèîä íà èç÷àêâàíå (30000 ìèëèñåêóíäè) ïðè èç÷àêâàíå íà óñëóãà Steam Client Service äà ñå ñâúðæå.
System Error None 2020-10-30 12:06:56 Service Control Manager 7000: Óñëóãà Steam Client Service íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%1053
System Error None 2020-10-30 12:11:50 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 12:11:50 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-10-30 12:38:59 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-30 12:38:59 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-30 12:40:10 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-10-30 12:42:02 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-30 12:46:15 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 12:46:17 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-10-30 13:06:46 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-30 13:06:46 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-30 13:07:49 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-10-30 13:09:01 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-30 13:09:57 WMPNetworkSvc 14332: Óñëóãàòà "WMPNetworkSvc" íå å ñòàðòèðàíà ïðàâèëíî, ïîíåæå CoCreateInstance(CLSID_UPnPDeviceFinder) îòêðè ãðåøêà "0x80004005". Óâåðåòå ñå, ÷å ñå èçïúëíÿâà óñëóãàòà UPnPHost è ÷å êîìïîíåíòúò UPnPHost íà Windows å èíñòàëèðàí ïðàâèëíî.
System Error None 2020-10-30 13:11:49 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 13:11:49 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 13:22:42 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 13:22:42 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 18:24:13 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 18:24:13 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 19:36:11 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Warning None 2020-10-30 19:37:40 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-30 19:37:40 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-30 19:38:46 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-10-30 19:39:59 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-30 19:45:31 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 19:45:32 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-10-30 20:11:31 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-30 20:11:31 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-10-31 00:01:29 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-10-31 00:01:29 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-10-31 19:33:37 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-10-31 19:34:49 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-10-31 19:41:14 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-10-31 19:41:14 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-11-01 01:49:22 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-11-01 01:49:22 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-11-01 11:10:42 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-01 11:12:02 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-01 11:16:52 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-01 11:16:52 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-11-01 14:01:54 EventLog 6008: The previous system shutdown at 13:59:26 ÷. on ?1.?11.?2020 ?ã. was unexpected.
System Error None 2020-11-01 14:01:58 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-01 14:03:26 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-01 14:50:56 EventLog 6008: The previous system shutdown at 14:49:44 ÷. on ?1.?11.?2020 ?ã. was unexpected.
System Error None 2020-11-01 14:51:01 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-01 14:52:10 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-01 14:58:04 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-01 14:58:05 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-11-01 16:04:53 EventLog 6008: The previous system shutdown at 16:03:31 ÷. on ?1.?11.?2020 ?ã. was unexpected.
System Error None 2020-11-01 16:04:58 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-01 16:06:20 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Warning None 2020-11-01 23:43:53 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-11-01 23:43:53 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-11-02 08:37:41 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-02 08:38:51 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-02 08:43:49 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-02 08:43:50 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-11-03 00:24:08 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-11-03 00:24:08 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-11-03 19:38:02 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-03 19:39:28 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-03 19:44:09 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-03 19:44:10 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-11-03 21:30:58 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-11-03 21:30:58 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-11-04 16:32:05 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-04 16:33:19 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-04 16:38:04 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-04 16:38:05 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-11-04 17:01:32 EventLog 6008: The previous system shutdown at 16:38:33 ÷. on ?4.?11.?2020 ?ã. was unexpected.
System Error None 2020-11-04 17:01:39 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-04 17:02:54 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-04 17:03:46 WMPNetworkSvc 14332: Óñëóãàòà "WMPNetworkSvc" íå å ñòàðòèðàíà ïðàâèëíî, ïîíåæå CoCreateInstance(CLSID_UPnPDeviceFinder) îòêðè ãðåøêà "0x80004005". Óâåðåòå ñå, ÷å ñå èçïúëíÿâà óñëóãàòà UPnPHost è ÷å êîìïîíåíòúò UPnPHost íà Windows å èíñòàëèðàí ïðàâèëíî.
System Error None 2020-11-04 17:07:45 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-04 17:07:45 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Warning None 2020-11-05 01:30:56 SYSTEM Microsoft-Windows-WLAN-AutoConfig 10002: WLAN Extensibility Module ñïðÿ. Ïúò äî ìîäóëà: C:\Windows\system32\Rtlihvs.dll
System Warning None 2020-11-05 01:30:56 SYSTEM Microsoft-Windows-WLAN-AutoConfig 4001: Óñëóãàòà çà àâòîìàòè÷íî êîíôèãóðèðàíå íà áåçæè÷íàòà ìðåæà å óñïåøíî ñïðÿíà.
System Error None 2020-11-05 10:09:26 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Error None 2020-11-05 10:11:01 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-05 10:15:04 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-05 10:15:05 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-11-05 13:50:35 EventLog 6008: The previous system shutdown at 13:35:38 ÷. on ?5.?11.?2020 ?ã. was unexpected.
System Error None 2020-11-05 13:50:39 Service Control Manager 7000: Óñëóãà ACP Kernel Service Driver íå ìîæå äà áúäå ñòàðòèðàíà ïîðàäè ñëåäíàòà ãðåøêà: %%2
System Warning None 2020-11-05 13:50:49 NETWORK SERVICE Microsoft-Windows-DNS-Client 1014: Name resolution for the name 0.pool.ntp.org timed out after none of the configured DNS servers responded.
System Warning None 2020-11-05 13:51:03 NETWORK SERVICE Microsoft-Windows-DNS-Client 1014: Name resolution for the name 1.pool.ntp.org timed out after none of the configured DNS servers responded.
System Error None 2020-11-05 13:52:00 Service Control Manager 7026: Íåóñïåøíî çàðåæäàíå íà ñëåäíèÿ äðàéâåð, êîéòî ñå àêòèâèðà ñ âêëþ÷âàíå íà êîìïþòúðà èëè ñòàðòèðàíå íà ñèñòåìàòà: BTHidMgr
System Error None 2020-11-05 13:56:53 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-05 13:56:54 SYSTEM Schannel 36887: The following fatal alert was received: 40.
System Error None 2020-11-05 14:07:20 DCOM 10010: The server {ED1D0FDF-4414-470A-A56D-CFB68623FC58} did not register with DCOM within the required timeout.
System Error None 2020-11-05 14:56:42 SYSTEM Schannel 36887: The following fatal alert was received: 70.
System Error None 2020-11-05 14:56:42 SYSTEM Schannel 36887: The following fatal alert was received: 40.
Иначе това са параметрите на компютъра:
/* *************************************************** **************************************************** */
->
->
->
->
->
->
->
->
->
->
/* *************************************************** **************************************************** */
--------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> --------------------------------------------------------------------------------------------------------------------------------------------------------------------> /* *************************************************** **************************************************** */
-
atmax
Извън линия - Потребител
- Мнения: 492
- Регистриран на: 22 Мар 2018, 15:06
- Се отблагодари: 37 пъти
- Получена благодарност: 43 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Да предположим, че си инсталирал драйвърите правилно.. Имам предвид, че първо трябва да ги изчистиш има една такава програма DisplayDriver Uninstaller или накратко DDU. След почистването ще се рестартира и тогава инсталирай новите драйвъри. Този проблем може да идва и от някой проблемен Software, ако е така ще трябва доста да си поиграеш.. Натискаш windows копчето + R, ще се отвори прозореца "Run", там пишеш msconfig. От там избираш Services и долу слагаш тикче на "Hide all Microsoft services", после натискаш Disable all и рестартираш, ако проблема е решен, това означава, че виновника се крие някъде там.. Тука идва и гадната част, трябва да повториш същите стъпки, но тоя път да си играеш да ги спираш 1 по 1 докато откриеш виновния Software..
Забравих да добавя, че понякога проблема идва и от антивирусната, преди да опиташ всичко това написано горе, пробвай първо това. Изключи си антивирусната, ако проблема не продължава ще трябва да я дейнсталираш.
Забравих да добавя, че понякога проблема идва и от антивирусната, преди да опиташ всичко това написано горе, пробвай първо това. Изключи си антивирусната, ако проблема не продължава ще трябва да я дейнсталираш.
Rest in peace my friend I always will remember you!
-
impossible
Извън линия - Потребител
- Мнения: 488
- Регистриран на: 15 Юни 2019, 12:41
- Се отблагодари: 23 пъти
- Получена благодарност: 47 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Мисля, че една преинсталация ще свърши работа този компютър от както съществува не е бил преинсталиран имам доста файлове и папки даже съм забравил какво съм слагал в всяка една папка всичко ми изглежда доста нахвърляно и неподредено.
-
illusion
Извън линия - Developer
- Мнения: 1796
- Регистриран на: 27 Ное 2016, 17:47
- Местоположение: CraftVision
- Се отблагодари: 151 пъти
- Получена благодарност: 358 пъти
- Обратна връзка:
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Като искаш да минаваш на 10-ка, давай. Дал съм ти линкче отгоре. Инсталацията е супер лесна, все едно инсталираш игра.
Но не е сигурно, че ще ти върви без забивания.
Но не е сигурно, че ще ти върви без забивания.
-
impossible
Извън линия - Потребител
- Мнения: 488
- Регистриран на: 15 Юни 2019, 12:41
- Се отблагодари: 23 пъти
- Получена благодарност: 47 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
memberlist.php?mode=viewprofile&u=237 - Тествано ли е не мога да видя информация директно сваля в Замунда има доста различни версии с подробно описание дали няма да е по-добре от там ?
-
Goddness
Извън линия - Потребител
- Мнения: 1812
- Регистриран на: 20 Май 2017, 11:47
- Местоположение: Някъде по света
- Се отблагодари: 141 пъти
- Получена благодарност: 187 пъти
- Обратна връзка:
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Най-качествения Windows e купеният.
-
impossible
Извън линия - Потребител
- Мнения: 488
- Регистриран на: 15 Юни 2019, 12:41
- Се отблагодари: 23 пъти
- Получена благодарност: 47 пъти
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Свалих тази програма https://www.nirsoft.net/utils/blue_screen_view.html
Последно промяна от impossible на 05 Ное 2020, 21:19, променено общо 1 път.
-
illusion
Извън линия - Developer
- Мнения: 1796
- Регистриран на: 27 Ное 2016, 17:47
- Местоположение: CraftVision
- Се отблагодари: 151 пъти
- Получена благодарност: 358 пъти
- Обратна връзка:
Препоръчайте ми читав Windows 10 без бъгове и максимално оптимизиран добре работещ
Давам ти линк от сайта на Microsoft, които са създали Windows? Мислиш ли, че zamunda ти е по-надеждна?
-
- Подобни теми
- Отговори
- Преглеждания
- Последно мнение
-
- 14 Отговори
- 2240 Преглеждания
-
Последно мнение от MaPaXyuA
-
- 6 Отговори
- 1120 Преглеждания
-
Последно мнение от Ant1Lamer
-
- 6 Отговори
- 1826 Преглеждания
-
Последно мнение от impossible
-
- 2 Отговори
- 1545 Преглеждания
-
Последно мнение от OciXCrom
-
- 0 Отговори
- 1788 Преглеждания
-
Последно мнение от Scorpions95
-
- 4 Отговори
- 1261 Преглеждания
-
Последно мнение от OciXCrom
-
- 13 Отговори
- 1809 Преглеждания
-
Последно мнение от Hurricane
Кой е на линия
Потребители разглеждащи този форум: 0 регистрирани и 4 госта