Event 4624 triggered when I wasn;t at computer

TickTickTickTick 1

Recently I was going over my event logs and found that there was an event log 4624 representing a successful logon at 11.45. The thing was, I was in school from 8 to 5, and left my laptop at home. There's also activity at 9 am, though only events with id 5379(Credential Manager credentials were read.) are found

Is it possible that the events were triggered automatically somehow? Or should I be concerned that someone in my house knows my password and is logging on to my accounts? Is there a way i can see the activity done on my computer after an event 4624, or further verify if a person has accessed my computer?

From what I can see, there are mostly events with logon type 2, 5 and 11. Impersonation levels are mostly "Impersonation". Should I specifically look for and count combinations? e.g. (x events with logon type 2, Impersonation level "Impersonation"), (y eventswith logon type 5, impersonation level "" )

Am I correct in that I should only worry about events with logon type 11, and regard the other types as automated system background stuff?

Is there a way to scan specific logon types?

6 answers

Anonymous

2021-07-21T02:47:06.75+00:00

Hello @TickTickTickTick ,

Thank you so much for your kindly reply. We will need to review the event 4624 to check the account name. For example, below is the screenshot from my lab, which indicates that the account name Administrator logged on to the computer Client. And the logon Type is 10.

Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever "Subject\Security ID" is not SYSTEM. As mentioned before, we could refer to this documentation for the event 4624:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Due to security consideration, it is suggested not to share any logs here. For any confidential or private information, please try to make them blurred if we want to share the screenshots here.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong
Please sign in to rate this answer.
TickTickTickTick 1 Reputation point

2021-07-21T16:35:10.087+00:00

@Anonymous the full log of the event in question is as follows: 116699-log.txt
My main concern is finding out if someone is using my computer. How can I seperate events triggered by the system from user-triggered events? I=From my understanding, if event 4624 triggers with logon type5 it is routine system check, while 7 or11 is user triggered, Is this right?

Thanks for any insight

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-07-22T01:34:48.777+00:00

An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: LAPTOP-FN2OMT9D$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54 Process Name: C:\Windows\System32\services.exe

This is not a human using your computer, it is a service running on the background as SYSTEM. It looks normal.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Event 4624 triggered when I wasn;t at computer

6 answers

Your answer