Computer Security

Hello , 

can someone help me with any information please  , about something verry strange happend during half month when I had no use of my laptop , I did not even open it and today when logged on fouund my E: disck (500 MB )  almost full and red , only 49 mb from 500 free ;in the situation that I did not open laptop at all starting from 16.may .

When I was looking what happend and why is this situation , found a lot of events happend during this time , with me not be at the laptop at all , or open it at least . I have tried to clean the disc , but is imposible .I can not see what is inside but at the activity sistem are 1200 events like someone , but not me .One of the events is looking like I am paste it below .

Thank you 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          16.05.2018 23:09:38

Event ID:      4688

Task Category: Process Creation

Level:         Information

Keywords:      Audit Success

User:          N/A

Computer:      DESKTOP-24A2ID4

Description:

A new process has been created.

Creator Subject:

Security ID: SYSTEM

Account Name:

Account Domain:

Logon ID: 0x3E7

Target Subject:

Security ID: NULL SID

Account Name:

Account Domain:

Logon ID: 0x0

Process Information:

New Process ID: 0x78

New Process Name: Registry

Token Elevation Type: %%1936

Mandatory Label: Mandatory Label\System Mandatory Level

Creator Process ID: 0x4

Creator Process Name:

Process Command Line:

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4688</EventID>

    <Version>2</Version>

    <Level>0</Level>

    <Task>13312</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8020000000000000</Keywords>

    <TimeCreated SystemTime="2018-05-16T20:09:38.893140100Z" />

    <EventRecordID>1</EventRecordID>

    <Correlation />

    <Execution ProcessID="4" ThreadID="32" />

    <Channel>Security</Channel>

    <Computer>DESKTOP-24A2ID4</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">-</Data>

    <Data Name="SubjectDomainName">-</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="NewProcessId">0x78</Data>

    <Data Name="NewProcessName">Registry</Data>

    <Data Name="TokenElevationType">%%1936</Data>

    <Data Name="ProcessId">0x4</Data>

    <Data Name="CommandLine">

    </Data>

    <Data Name="TargetUserSid">S-1-0-0</Data>

    <Data Name="TargetUserName">-</Data>

    <Data Name="TargetDomainName">-</Data>

    <Data Name="TargetLogonId">0x0</Data>

    <Data Name="ParentProcessName">

    </Data>

    <Data Name="MandatoryLabel">S-1-16-16384</Data>

  </EventData>

</Event>