Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Event log question


  • Please log in to reply
15 replies to this topic

#16 Riemann

Riemann

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 16 September 2015 - 12:39 AM

A couple of questions based on what I'd look at if it was my computer...

  • What is the event id of the logon event logs you're seeing?
  • What is the logon type for the logins? (click the detail tab on the event log)
  • Did you confirm your user account was the one that logged on? (click on the detail tab and expand the "system" section)
  • What is the "logonprocessname" (click on the detail tab and expand the "system" section)
  • Are you sure the machine was 100% powered off, not just asleep or hibernating (or transitioning from asleep to hibernating--e.g. laptop lid closed)? We've seen random logon events in the middle of the night (on corp network) when the computer was moving between the two states. I'm asking b/c there is a difference between a boot event log, and a Windows logon event log.
  • What were the most recent boot and/or shutdown events near the logons (http://www.howtogeek.com/72420/how-to-use-event-viewer-to-find-your-pcs-boot-time/)
  • Have you checked the bios for any sort of scheduled boot-up settings (e.g. "resume by alarm")?
  • Are there any process creation events just before or during this time period (event 4688)?

For the process creation events, and for the events Didier mentioned and for process creation events, if this is a work computer, is it part of a domain with group policy enabled/applied? If so, you may have to confirm that these specific event logs are enabled. I don't know about the system time event logs referenced above, but I know that we weren't logging 4688 events until I asked the domain admin to enable them.



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users