Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer Crashes


  • Please log in to reply
39 replies to this topic

#16 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 09 November 2015 - 08:40 AM

As suggested in the first link, I tried entering Safe Mode; the procedure is a bit different in Windows 10, but with a bit of Googling I found out how.

When in Safe Mode Windows Explorer did not crash.



BC AdBot (Login to Remove)

 


#17 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 14 November 2015 - 05:25 PM

As suggested in the first link, I tried entering Safe Mode; the procedure is a bit different in Windows 10, but with a bit of Googling I found out how.

When in Safe Mode Windows Explorer did not crash.

 

Ok so that would be a service,program causing a problem thats not loading in safe so we need to isolate that.Perform a clean boot?

 

Seem to be a lot of win 10 explorer crashes for some reason,particullaly if you upgraded from 7?

 

Norton Antivirus has an explore crashing issue on 10 also apparently.

 

I think the clean boot option should  isolate the culprit or maybe use autoruns to stop items starting up.

 

Autoruns here:http://www.bleepingcomputer.com/download/autoruns/

 

Cleanboot instructions

 

https://windowsinstructed.com/clean-boot-windows-windows/

 

Let us know how it goes.

:


Edited by Wolverine 7, 14 November 2015 - 05:25 PM.


#18 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 15 November 2015 - 01:29 PM

 

As suggested in the first link, I tried entering Safe Mode; the procedure is a bit different in Windows 10, but with a bit of Googling I found out how.

When in Safe Mode Windows Explorer did not crash.

 

Ok so that would be a service,program causing a problem thats not loading in safe so we need to isolate that.Perform a clean boot?

 

Seem to be a lot of win 10 explorer crashes for some reason,particullaly if you upgraded from 7?

 

Norton Antivirus has an explore crashing issue on 10 also apparently.

 

I think the clean boot option should  isolate the culprit or maybe use autoruns to stop items starting up.

 

Autoruns here:http://www.bleepingcomputer.com/download/autoruns/

 

Cleanboot instructions

 

https://windowsinstructed.com/clean-boot-windows-windows/

 

Let us know how it goes.

:

 

Tried clean boot. It doesn't solve the problem. If anything, it aggravates it: that blue screen isn't going away right now, and before it came, the computer was running slower than ever. I'll probably force-restart it by pressing the power button in a couple of minutes, then try and disable clean boot.

 

Update: I think I've disabled clean boot now, yet at first it wouldn't restart at all; I force-restarted, entered Safe Mode, and disabled Clean Boot; Safe Mode works perfectly, yet normal booting makes it unusable: it just freezes as I try and open stuff from the Desktop.


Edited by Pantodynamos, 15 November 2015 - 02:12 PM.


#19 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 15 November 2015 - 04:04 PM

Trouble here is theres so many possible causes,updates,software,drivers...

I would be thinking restore point if you didnt try it.

 

Try reseting bios,if that doesnt work,what about trying a factory reset?



#20 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 16 November 2015 - 11:58 AM

Restore point? Haven't tried it, but this problem has been occurring since updating to Windows 10, so I doubt it would help.

BIOS reset? Not sure how to go about it. In any case, I have never changed any BIOS settings so that's unlikely to solve the problem.



#21 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 16 November 2015 - 04:37 PM

Endless explorer crashes after upgrade to 10 if you google,this machine was updated from 7 as i goes but ive been lucky so far.

 

I dont know enough about this issue for a definitive fix but check out

 

http://www.infoworld.com/article/2957239/microsoft-windows/microsoft-official-windows-10-patches-kb-3081424-kb-3081427.html

 

Mentions the updates that originaly caused the problem,baybe you can use this as a starting point.

 

Worth a look.

 

http://superuser.com/questions/950659/file-explorer-crashing-on-windows-10

 

Just a thought have you checked event viewer to see if it shows whats causeng the crashes?


Edited by Wolverine 7, 16 November 2015 - 04:39 PM.


#22 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 17 November 2015 - 08:04 AM

I was only vaguely aware that Event Viewer even existed, so no,I had not tried it. In any case, I searched for it, triggered a crash, and found appropriate entries for the time of the crash:

 

In Custom Views > Administrative Events

 

Log Name:      Application
Source:        Application Error
Date:          17-11-2015 17:06:44
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
Faulting application name: Explorer.EXE, version: 10.0.10240.16431, time stamp: 0x55c9b75e
Faulting module name: ntdll.dll, version: 10.0.10240.16430, time stamp: 0x55c599e6
Exception code: 0xc0000005
Fault offset: 0x0006359a
Faulting process id: 0x12a0
Faulting application start time: 0x01d1212ad4138ad8
Faulting application path: C:\WINDOWS\Explorer.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 52268d2c-8e3e-4ee2-8acf-cb5784cda72a
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-17T11:36:44.000000000Z" />
    <EventRecordID>2492</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Explorer.EXE</Data>
    <Data>10.0.10240.16431</Data>
    <Data>55c9b75e</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.10240.16430</Data>
    <Data>55c599e6</Data>
    <Data>c0000005</Data>
    <Data>0006359a</Data>
    <Data>12a0</Data>
    <Data>01d1212ad4138ad8</Data>
    <Data>C:\WINDOWS\Explorer.EXE</Data>
    <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
    <Data>52268d2c-8e3e-4ee2-8acf-cb5784cda72a</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

In Windows Logs > Applications

 

Log Name:      Application
Source:        Application Error
Date:          17-11-2015 17:06:44
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
Faulting application name: Explorer.EXE, version: 10.0.10240.16431, time stamp: 0x55c9b75e
Faulting module name: ntdll.dll, version: 10.0.10240.16430, time stamp: 0x55c599e6
Exception code: 0xc0000005
Fault offset: 0x0006359a
Faulting process id: 0x12a0
Faulting application start time: 0x01d1212ad4138ad8
Faulting application path: C:\WINDOWS\Explorer.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 52268d2c-8e3e-4ee2-8acf-cb5784cda72a
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-17T11:36:44.000000000Z" />
    <EventRecordID>2492</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Explorer.EXE</Data>
    <Data>10.0.10240.16431</Data>
    <Data>55c9b75e</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.10240.16430</Data>
    <Data>55c599e6</Data>
    <Data>c0000005</Data>
    <Data>0006359a</Data>
    <Data>12a0</Data>
    <Data>01d1212ad4138ad8</Data>
    <Data>C:\WINDOWS\Explorer.EXE</Data>
    <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
    <Data>52268d2c-8e3e-4ee2-8acf-cb5784cda72a</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>



#23 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 17 November 2015 - 01:26 PM

Ok that looks like a memory error,i dont know enough to read more from it other than explores crashing.

 

Not much point in chekdisk or a restore point youve had the issue all along.

 

Another thought,how many updates installed after upgrade?could well be the issue?



#24 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 17 November 2015 - 04:05 PM

The only updates installed thus far are those for Windows Defender, Microsoft Office and Internet Explorer, which are unlikely to have anything to do with the issue, and

Update for Windows 10 (KB3106932)
Update for Windows 10 (KB3074686)

 

Just saw that there are a batch which are not installed, so I just clicked the Download button.



#25 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 17 November 2015 - 05:48 PM

Well those dont seem to be the upudates that have caused most of the problems.

 

What programs have you installed since upgrade?

 

 

Try updating your drivers,Graphics,Audio,wifi if you use it...(even if there dont seem to be obvious problems with such)

 

Then run the file checker and health check

 

Press Windows key + X

Click Command Prompt (Admin)

Type in at the prompt OR Copy and Paste these one at a time : (Hit enter after each)

Dism /Online /Cleanup-Image /CheckHealth

Dism /Online /Cleanup-Image /ScanHealth

Dism /Online /Cleanup-Image /RestoreHealth




When the procedures are complete exit the command prompt:



Next, do the following:

Right click on the start button and click Command Prompt (admin) Click Yes

Type: cleanmgr.exe


Click OK


Edited by Wolverine 7, 17 November 2015 - 05:51 PM.


#26 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 20 November 2015 - 03:50 PM

Done the Dism commands. No change. As for cleanmgr.exe, wouldn't that prevent me from downgrading to Windows 7? Surely it would delete the Windows 7 files? I'd still like to keep that option open. Is there anything else I can try?



#27 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 20 November 2015 - 06:28 PM

wouldn't that prevent me from downgrading to Windows 7?

 

Well when you invoke the disk cleaner you,re offered a choice of which files to delete,so no i dont think that would stop you downgrading unless you cleaned the windows old folder.

 

Just came across this thread

 

http://www.bleepingcomputer.com/forums/t/586464/windows-10-explorerexe-crashes-spontaneously-please-help/

 

Wondering if your having the win 10 file permisions issue?

 

You could dowload the free windows repair tool and tick "repair file permisions" (nothing else)

 

(Allow it to do its registry backup first,then tick just the"repair file permissions"box,allow it to run the repair and see if that fixes it.

 

Windows repair

 

http://www.bleepingcomputer.com/download/windows-repair-all-in-one/

 

(If it doesnt work you can always restore the reg from backup).



#28 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 21 November 2015 - 04:25 PM

Checked the file permissions. Don't think that's the issue. Also did a disc cleanup as suggested, leaving the default items ticked. No more crashes so far, but it sort of froze for a good few minutes. I'll restart a little later and see if there are any crashes or if it freezes.



#29 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:12:32 AM

Posted 21 November 2015 - 04:37 PM

Ok progress,just a thought,check your startup entries with taskmanager and try stopping ones you dont need.

 

If that doesnt work it might be worth going back to event viewer for a futher clue.


Edited by Wolverine 7, 21 November 2015 - 04:46 PM.


#30 Pantodynamos

Pantodynamos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 AM

Posted 22 November 2015 - 08:57 AM

Spoke too soon: just restarted, and crash it goes again.

 

As for checking Event Viewer: the following seem to relate to a crash I deliberately triggered:

 

In Windows Logs > Application

 

Log Name:      Application
Source:        Application Error
Date:          23-11-2015 00:03:40
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
Faulting application name: EXPLORER.EXE, version: 10.0.10240.16431, time stamp: 0x55c9b75e
Faulting module name: ntdll.dll, version: 10.0.10240.16430, time stamp: 0x55c599e6
Exception code: 0xc0000005
Fault offset: 0x0006359a
Faulting process id: 0x12a8
Faulting application start time: 0x01d1254aa6116cd1
Faulting application path: C:\WINDOWS\system32\EXPLORER.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 7d7eeb73-60fe-4104-a263-b297efebea0b
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:40.000000000Z" />
    <EventRecordID>3787</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>EXPLORER.EXE</Data>
    <Data>10.0.10240.16431</Data>
    <Data>55c9b75e</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.10240.16430</Data>
    <Data>55c599e6</Data>
    <Data>c0000005</Data>
    <Data>0006359a</Data>
    <Data>12a8</Data>
    <Data>01d1254aa6116cd1</Data>
    <Data>C:\WINDOWS\system32\EXPLORER.EXE</Data>
    <Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
    <Data>7d7eeb73-60fe-4104-a263-b297efebea0b</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

 

Log Name:      Application
Source:        Windows Error Reporting
Date:          23-11-2015 00:03:42
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: EXPLORER.EXE
P2: 10.0.10240.16431
P3: 55c9b75e
P4: ntdll.dll
P5: 10.0.10240.16430
P6: 55c599e6
P7: c0000005
P8: 0006359a
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXPLORER.EXE_6fd1eb5c8b62e089c6befa2714331111686920e3_02e7027b_2123f97a

Analysis symbol:
Rechecking for solution: 0
Report Id: 7d7eeb73-60fe-4104-a263-b297efebea0b
Report Status: 4
Hashed bucket:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:42.000000000Z" />
    <EventRecordID>3788</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>APPCRASH</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>EXPLORER.EXE</Data>
    <Data>10.0.10240.16431</Data>
    <Data>55c9b75e</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.10240.16430</Data>
    <Data>55c599e6</Data>
    <Data>c0000005</Data>
    <Data>0006359a</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXPLORER.EXE_6fd1eb5c8b62e089c6befa2714331111686920e3_02e7027b_2123f97a</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>7d7eeb73-60fe-4104-a263-b297efebea0b</Data>
    <Data>4</Data>
    <Data>
    </Data>
  </EventData>
</Event>

 

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          23-11-2015 00:03:42
Event ID:      1002
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
The shell stopped unexpectedly and EXPLORER.EXE was restarted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" />
    <EventID Qualifiers="16384">1002</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:42.000000000Z" />
    <EventRecordID>3789</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>EXPLORER.EXE</Data>
  </EventData>
</Event>

 

Log Name:      Application
Source:        Windows Error Reporting
Date:          23-11-2015 00:04:19
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Pantodynamos
Description:
Fault bucket 107535186308, type 1
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: EXPLORER.EXE
P2: 10.0.10240.16431
P3: 55c9b75e
P4: ntdll.dll
P5: 10.0.10240.16430
P6: 55c599e6
P7: c0000005
P8: 0006359a
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_EXPLORER.EXE_6fd1eb5c8b62e089c6befa2714331111686920e3_02e7027b_232c8b0c

Analysis symbol:
Rechecking for solution: 0
Report Id: 7d7eeb73-60fe-4104-a263-b297efebea0b
Report Status: 0
Hashed bucket: 1e5f3c4b9993b5e06ab6db2ae1d2cb63
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:34:19.000000000Z" />
    <EventRecordID>3790</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data>107535186308</Data>
    <Data>1</Data>
    <Data>APPCRASH</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>EXPLORER.EXE</Data>
    <Data>10.0.10240.16431</Data>
    <Data>55c9b75e</Data>
    <Data>ntdll.dll</Data>
    <Data>10.0.10240.16430</Data>
    <Data>55c599e6</Data>
    <Data>c0000005</Data>
    <Data>0006359a</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_EXPLORER.EXE_6fd1eb5c8b62e089c6befa2714331111686920e3_02e7027b_232c8b0c</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>7d7eeb73-60fe-4104-a263-b297efebea0b</Data>
    <Data>0</Data>
    <Data>1e5f3c4b9993b5e06ab6db2ae1d2cb63</Data>
  </EventData>
</Event>

In Windows Logs > Security

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          23-11-2015 00:03:40
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Pantodynamos
Description:
An account was successfully logged on.

Subject:
    Security ID:        SYSTEM
    Account Name:        PANTODYNAMOS$
    Account Domain:        HOME
    Logon ID:        0x3E7

Logon Information:
    Logon Type:        5
    Restricted Admin Mode:    -
    Virtual Account:        No
    Elevated Token:        Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3E7
    Linked Logon ID:        0x0
    Network Account Name:    -
    Network Account Domain:    -
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x2cc
    Process Name:        C:\Windows\System32\services.exe

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:40.335570800Z" />
    <EventRecordID>26539</EventRecordID>
    <Correlation ActivityID="{424848AD-252D-0000-AE48-48422D25D101}" />
    <Execution ProcessID="724" ThreadID="9456" />
    <Channel>Security</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">PANTODYNAMOS$</Data>
    <Data Name="SubjectDomainName">HOME</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-18</Data>
    <Data Name="TargetUserName">SYSTEM</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0x3e7</Data>
    <Data Name="LogonType">5</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">
    </Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x2cc</Data>
    <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
    <Data Name="ImpersonationLevel">%%1833</Data>
    <Data Name="RestrictedAdminMode">-</Data>
    <Data Name="TargetOutboundUserName">-</Data>
    <Data Name="TargetOutboundDomainName">-</Data>
    <Data Name="VirtualAccount">%%1843</Data>
    <Data Name="TargetLinkedLogonId">0x0</Data>
    <Data Name="ElevatedToken">%%1842</Data>
  </EventData>
</Event>

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          23-11-2015 00:03:40
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Pantodynamos
Description:
Special privileges assigned to new logon.

Subject:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3E7

Privileges:        SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:40.335630400Z" />
    <EventRecordID>26540</EventRecordID>
    <Correlation ActivityID="{424848AD-252D-0000-AE48-48422D25D101}" />
    <Execution ProcessID="724" ThreadID="9456" />
    <Channel>Security</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege</Data>
  </EventData>
</Event>

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          23-11-2015 00:03:55
Event ID:      4797
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Pantodynamos
Description:
An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:        LOCAL SERVICE
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3E5

Additional Information:
    Caller Workstation:    PANTODYNAMOS
    Target Account Name:    Admin
    Target Account Domain:    PANTODYNAMOS
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4797</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T18:33:55.158290500Z" />
    <EventRecordID>26541</EventRecordID>
    <Correlation ActivityID="{424848AD-252D-0000-AE48-48422D25D101}" />
    <Execution ProcessID="724" ThreadID="768" />
    <Channel>Security</Channel>
    <Computer>Pantodynamos</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-19</Data>
    <Data Name="SubjectUserName">LOCAL SERVICE</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e5</Data>
    <Data Name="Workstation">PANTODYNAMOS</Data>
    <Data Name="TargetUserName">Admin</Data>
    <Data Name="TargetDomainName">PANTODYNAMOS</Data>
  </EventData>
</Event>

The last event occurs 20 times, each with the same Description, Date and Time and Event ID.


Edited by Pantodynamos, 22 November 2015 - 02:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users