Share via

Event 4624 triggered when I wasn;t at computer

TickTickTickTick 1 Reputation point
2021-07-16T15:40:38.117+00:00

Recently I was going over my event logs and found that there was an event log 4624 representing a successful logon at 11.45. The thing was, I was in school from 8 to 5, and left my laptop at home. There's also activity at 9 am, though only events with id 5379(Credential Manager credentials were read.) are found

Is it possible that the events were triggered automatically somehow? Or should I be concerned that someone in my house knows my password and is logging on to my accounts? Is there a way i can see the activity done on my computer after an event 4624, or further verify if a person has accessed my computer?

From what I can see, there are mostly events with logon type 2, 5 and 11. Impersonation levels are mostly "Impersonation". Should I specifically look for and count combinations? e.g. (x events with logon type 2, Impersonation level "Impersonation"), (y eventswith logon type 5, impersonation level "" )

Am I correct in that I should only worry about events with logon type 11, and regard the other types as automated system background stuff?

Is there a way to scan specific logon types?

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-07-22T08:23:38.93+00:00

    Hello @TickTickTickTick ,

    Thank you so much for your kindly reply.

    This provided event is triggered by the SYSTEM account and the logon account is SYSTEM. As mentioned, it is normal, and it is hard to tell from the event that someone is using your computer.

    116988-image.png

    As stated, this event 4624 is typically triggered by the SYSTEM account, no matter what the logon type is. If we have any concerns, we could keep on monitoring the event 4624 for different Subject\Security ID and account name.

    Since we would like to find out if someone is using our computer, it is suggested that we could take other measures, such as installing a monitor.

    Thanks a lot and wish you a lovely day.

    Best regards,
    Hannah Xiong

    1 person found this answer helpful.
  2. Castorix31 90,686 Reputation points
    2021-07-16T18:27:42.7+00:00

    Have you checked details, like Logon Type ?
    (Windows Security Log Event ID 4624)

    0 comments
  3. Anonymous
    2021-07-19T01:56:17.183+00:00

    Hello @TickTickTickTick ,

    Thank you so much for posting here.

    May I know more information or details of the event 4624? The event will record the logon type, logon account, and so on.

    For more information about this event, please refer to:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

    Thanks and looking forward to hearing from you.

    Best regards,
    Hannah Xiong

  4. Anonymous
    2021-07-20T07:53:29.273+00:00

    Hello,

    Thank you so much for your kindly reply.

    The logon type is one side, and we should also pay attention to other information such as account name, which will indicate which account logs on to this computer. If possible, would you please check the account name information of the events? Are they the same account or different accounts?

    Looking forward to hearing from you.

    Best regards,
    Hannah Xiong

    0 comments
  5. TickTickTickTick 1 Reputation point
    2021-07-20T08:11:15.153+00:00

    @Anonymous

    I have only 1 account (it's the administrator one made during the first start up) on this computer, not including the default Administrator account, so they should all be the same. Is there a way to "hide" accounts from common use? If you require a full transcript, I can try to export my logs.

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.