Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this behavior normal for logins in Event Viewer.


  • Please log in to reply
10 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 19 November 2016 - 04:37 PM

So I just checked the securities tab in event viewer for the first time in a while. I have noticed that when I logon, there are 3 logon task relating to winlogon, then a special logon as well. The login process is User32. After that there are always 2 logoff ones as well, which relate to the Logon ID's of the second and third logons. Is this normal activity? Lastly, I have also seen a Logon that's account domain is NT AUTHORITY. Its process however is services.exe, and its process is Advapi. Its Logon type is 5. It also comes with a Special Logon. Sorry if these seems obvious, but I would like to understand more about these. Any help is appreciated. Thanks :)



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,728 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:37 AM

Posted 19 November 2016 - 05:57 PM

http://www.howtogeek.com/123646/htg-explains-what-the-windows-event-viewer-is-and-how-you-can-use-it/

 

Frankly...the only section of Event Viewer that bears any importance for me...Application and System.  I seldom look at any of the other subdivisions and I only focus on the errors noted, ignoring all warnings and information items.

 

Louis



#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 20 November 2016 - 10:20 AM

Hi Louis

 

I have never really paid it much attention either. I was just curious whether these messages were the norm or not.



#4 Soldierbane

Soldierbane

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Hampshire
  • Local time:08:37 AM

Posted 23 November 2016 - 11:02 AM

Without knowing what kind of environment you're running in it's hard to say what exactly is normal, but for the most part it is pretty standard to see multiple events when you login. This site has a pretty good explanation of what the different logon types mean. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624



#5 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 November 2016 - 01:08 PM

Hi Soldierbane. Thank you for that link. Well I haven't been able to find anything out of the ordinary on it. My only query would be why do services need to logon? Is it because certain tasks require admin credentials to run?



#6 Soldierbane

Soldierbane

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Hampshire
  • Local time:08:37 AM

Posted 23 November 2016 - 01:30 PM

I may be wrong here as this isn't really my area of expertise, but I think what is happening is that a lot of processes don't run as the user account, they run as SYSTEM. These processes will use the NT Authority logon to start. Services.exe controls which services start on your PC and ADVAPI (Advanced API) is what allows for a lot of programs to talk with the Windows code. 

 

Again, this is a really over simplified version, and it might not be completely accurate. I would love for someone more knowledgeable than me to expand or clarify a bit as well. I don't think you have anything to be concerned about though.



#7 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 23 November 2016 - 03:15 PM

Those sound like normal events for the security event log... as I see similar things. (Of course, posting your security event log would not be a bad idea for further investigation)

 

Microsoft has laid this feature in place to monitor login/logout, security audits, and other security info of the system overall. However, hackers and rogue system administrators target this event logging, because very few look at it. If your system literally has a hacker, signs will become obvious of infection or loss of system control. What hackers and rogue system admins try to do is hide their activity, so they will attempt to target modifying this. Therefore, there is no way to know sometimes from the security event log if there is presence of an infection. This is why tools are developed, as well as security software, for deeper inspection.

 

If you are curious of a possible security incident, posting in the forum, "Am I Infected? What Do I Do?," would be a wise idea. Otherwise, you should not have many worries, friend! :)



#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 November 2016 - 03:21 PM

Nah I don't think I am infected. I have seen nothing to suggest that. I just looked at it for the first time and couldn't understand it. I have a tendency to think too much about these things or assume the worst ;)



#9 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 23 November 2016 - 04:07 PM

You're just curious, which is a good thing! An educated user is a good user, I always say! :) I love learning on computers, and love seeing everyone around Bleeping Computer posting so much good information and taking their time to explain things. Feel free to browse around and learn! :)



#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 November 2016 - 04:42 PM

Thanks. Wish the curiosity didn't always come accompanied with me worrying about some non existent problem though XD

#11 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 AM

Posted 23 November 2016 - 05:36 PM

Yes, there's that... but curiosity is fine as you're learning more about your computer... when you start becoming curious on the internet and do not think about what you're clicking on, then things start turning sour. Nothing to worry... :thumbup2:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users