| Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
|---|
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xffc
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 15011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:19:48 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5AE5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:19:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B3829
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B3829
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B3829
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AE460
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AE460
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AE460
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x975635
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A6532
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A6532
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A6532
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A59A8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5AE5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5AE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A90
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A90
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A90
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A4B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A4B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A5A4B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A59A8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2572434640-1155369237-470155402-374780233
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A59A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99543CD0-8915-44DD-8A00-061C49B15616
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:16:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x99F8A1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:32 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x99F8A1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:32 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x99C4EE | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x99C4EE | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986863
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x993F26 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x993F26 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9921F6 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9921F6 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:15:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98FE70
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98FE70
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:54 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98FE70
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:54 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:54 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98B105
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98B105
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98B105
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9872FC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9872FC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9872FC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986728
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986863
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986863
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98680E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98680E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98680E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9867C9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9867C9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9867C9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986728
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-729253168-1197233093-1916548537-1360660237
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x986728
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2B778530-53C5-475C-B935-3C720D071A51
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x983A05 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x983A05 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9824AC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9824AC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9824AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x97F342 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x97F342 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97C6B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97C6B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97C6B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932192
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9754E6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x975635
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x975635
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9755E0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9755E0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9755E0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97559A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97559A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97559A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9754E6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4092377947-1282057056-88957868-4124258997
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9754E6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F3ECBB5B-A360-4C6A-AC63-4D05B532D3F5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B9CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x96E27D | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x96E27D | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x96B0E8 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x96B0E8 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:14:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96915C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96915C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96915C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x968BA2 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x968BA2 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDAA1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x963BE7 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x963BE7 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C444
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C444
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C444
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B7A9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B9CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B9CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B976
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B976
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B976
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B931
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B931
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B931
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8638F4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B7A9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2303837692-1324668092-2785301911-716398100
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B7A9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8951C5FC-D4BC-4EF4-9755-04A6145EB32A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x959C78
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x959C78
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x959C78
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2421
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:13:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C835F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x94664A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x94664A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937816
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937816
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937816
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:13:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9331D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9331D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9331D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932004
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932192
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932192
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93213D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93213D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93213D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9320F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9320F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9320F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932004
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2442688446-1291389878-3403915908-524003152
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x932004
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 919877BE-0BB6-4CF9-84A2-E3CA50A73B1F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x92C79C | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x92C79C | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:12:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3214
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:12:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x909DEE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x909DEE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x909DEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x909D47 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x909D47 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:11:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x904165
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x904165
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x904165
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8FD6BC | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8FD6BC | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4074
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:43 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4074
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4074
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F22E5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8F330B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8F330B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2421
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2421
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F23CC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F23CC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F23CC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2387
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2387
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2387
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F22E5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-255080035-1104630566-4180760722-2689268544
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F22E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0F343663-5326-41D7-9258-31F940FB4AA0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8F1420 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8F1420 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EFCA6 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:26 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EFCA6 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:26 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x895185
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:11:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E809B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E809B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E809B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:11:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892B23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:50 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7A90
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7A90
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7A90
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D35AE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:27 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D35AE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D35AE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFDA6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFDA6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFDA6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CB0CE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CB0CE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CB0CE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C8211
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:12 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C835F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C835F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C830A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C830A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C830A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C82C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C82C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C82C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C8211
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2809427438-1248866472-941647500-105414283
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C8211
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A77475EE-30A8-4A70-8C66-20388B7E4806
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:11 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C5BD7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C5BD7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C5BD7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C08DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C08DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C08DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:10:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD950
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8BE300 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8BE300 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDAA1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDAA1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA4C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA4C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA4C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA06
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA06
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BDA06
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD950
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3467865508-1324566626-2543588529-782376826
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD950
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CEB36DA4-4862-4EF3-B114-9C977A1FA22E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B7957
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B7957
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B7957
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3E38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3E38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3E38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B30D9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3214
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3214
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B31BF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B31BF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B31BF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B317A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B317A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B317A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B30D9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-387688836-1111128321-2164783769-2808726724
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B30D9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 171BA984-7901-423A-99FA-0781C4C469A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861140
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:09:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A7E9E | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A7E9E | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A74C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A74C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A74C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A42D1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A42D1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A2F2F | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A2F2F | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89F6E3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89F6E3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89F6E3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:34 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BF01
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BF01
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BF01
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x897660
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x897660
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x897660
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x894EB8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x895ACB | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x895ACB | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:27 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x895185
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x895185
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8950AF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8950AF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8950AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89503E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89503E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89503E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x894EB8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-204955138-1259392388-560055171-2850748438
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x894EB8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0C375E02-CD84-4B10-83C3-612116F8EAA9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89371E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89371E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89371E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8929E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892B23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892B23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892ACE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892ACE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892ACE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892A89
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892A89
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x892A89
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8929E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3310285563-1097333232-1922095519-1695230049
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8929E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C54EF2FB-F9F0-4167-9FD9-907261280B65
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83730E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728353
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:08:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B63
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:07:34 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B446
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:07:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x878B72
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x878B72
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x878B72
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4954
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x869D31
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x869D31
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:13 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x869D31
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:13 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:13 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86638B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86638B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86638B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8637A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8638F4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8638F4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86389F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86389F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86389F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x863859
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x863859
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x863859
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8637A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1616326409-1306900141-307558790-2386778064
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8637A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 60572F09-B6AD-4DE5-86F9-5412D057438E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861D22
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861D22
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861D22
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861005
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861140
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861140
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610EB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610EB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610EB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8610A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861005
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3295239458-1131130169-2975516838-2949788012
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x861005
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C4695D22-AD39-436B-A6C8-5AB16C31D2AF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:07:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B3719
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:52 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F274
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:06:49 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8510C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:06:45 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8510C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:06:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8510C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:06:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:06:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE423
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x845172
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x845172
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x845172
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:38 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837FE5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837FE5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:32 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837FE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:32 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:32 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8371D2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83730E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83730E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8372B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8372B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8372B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837274
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837274
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x837274
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8371D2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3704998505-1135845132-646798773-675603102
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8371D2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DCD5CA69-9F0C-43B3-B55D-8D269EE24428
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79529B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82F9C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82F9C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:08 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82F9C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:08 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:06:08 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82BBC4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82BBC4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82BBC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82AC02
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82AC02
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82AC02
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:06:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826AB2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826AB2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826AB2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82529A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82529A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82529A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824935
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824935
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824935
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81D56B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81D56B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81D56B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:05:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x806804
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x806804
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x806804
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCDA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCDA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCDA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE2E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:32 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE423
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE423
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE3CE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE3CE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE3CE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE389
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE389
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE389
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE2E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3137216754-1338920885-393013423-3835918310
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FE2E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: BAFE20F2-4FB5-4FCE-AFE8-6C17E677A3E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:31 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F347B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F347B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F347B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:29 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E3ECC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E3ECC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E3ECC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7E2D93 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7E2D93 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:04:21 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C7BAE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C7BAE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C7BAE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7C6529 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7C6529 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:04:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7C228D | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7C228D | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B86F2 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B86F2 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:53 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B6853
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:47 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B6853
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:47 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B6853
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:47 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:47 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B50B0 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:46 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B50B0 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:46 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B35CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B3719
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B3719
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B36C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B36C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B36C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B367E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B367E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B367E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B35CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1595344839-1239354210-4020703114-3494839588
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7B35CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5F1707C7-0B62-49DF-8A0F-A7EF24054FD0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:03:39 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A963B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A963B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A963B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A58E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A58E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A58E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4813
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4954
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4954
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48FF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48FF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48FF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48BA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48BA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A48BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4813
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1121782404-1075465659-292996502-2898977770
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7A4813
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 42DD0A84-4DBB-401A-96C5-7611EAE3CAAC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:03:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79EFB3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79EFB3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79EFB3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79B239
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79B239
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79B239
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x799F5B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x799F5B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x799F5B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:40 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x796BC5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x796BC5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x796BC5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79505E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79529B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79529B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7951D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7951D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7951D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x795162
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x795162
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x795162
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79505E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1132186999-1123195095-1085930171-4154165200
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x79505E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 437BCD77-98D7-42F2-BBFA-B940D0879BF7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791B7D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791B7D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791B7D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7917F1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7917F1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:33 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78F633 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78F633 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78E454
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78E454
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78E454
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78DB17
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78DB17
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78DB17
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:23 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78BA69 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78BA69 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C6E0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:16 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x781D3E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:10 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x781D3E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x781D3E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:10 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77D2F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77D2F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77D2F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C5A4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C6E0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C6E0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C68B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C68B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C68B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C646
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C646
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C646
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C5A4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2515604186-1212123553-2232225454-3473731484
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77C5A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 95F112DA-89A1-483F-AE0E-0D859CEF0CCF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x779FA4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:01 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x779FA4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x779FA4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:02:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x778BBB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x778BBB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x778BBB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7782B3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7782B3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7782B3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750787
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 8:01:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BD46
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:48 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7659E8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:44 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7659E8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7659E8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75A9C3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75A9C3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:42 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75A9C3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:42 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:42 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x758806 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x758806 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x75568F | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x75568F | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x751832
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:30 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x751832
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:30 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x751832
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:30 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:30 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75064A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:29 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750787
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750787
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750732
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750732
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x750732
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7506ED
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3200 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7506ED
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7506ED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75064A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1095788544-1202929980-1697069954-1550631171
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x75064A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41506800-413C-47B3-823B-276503C16C5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x744721
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:24 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x744721
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x744721
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:24 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x74051B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:22 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x74051B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x74051B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x738E1D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:19 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x738E1D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x738E1D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x737635
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:18 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x737635
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x737635
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:18 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x735A1F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:17 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x735A1F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x735A1F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x72F415 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:15 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x72F415 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:15 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72CB25
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:09 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72CB25
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:09 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72CB25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:09 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:09 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B2F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:08 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B446
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B446
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3E9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3E9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3E9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3A4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3A4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B3A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B2F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1161433125-1206590396-2468807056-3952658893
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72B2F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 453A1025-1BBC-47EB-9001-2793CDC998EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:07 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72916F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72916F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x72916F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:05 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728218
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728353
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728353
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282FE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282FE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7282B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728218
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3118679256-1338989327-3242764195-1554758797
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x728218
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B9E344D8-5B0F-4FCF-A3A7-48C18DBCAB5C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:04 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x725ECF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:03 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x725ECF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x725ECF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7229AD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B63
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B0E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B0E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722B0E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722AC9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722AC9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x722AC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7229AD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-140566111-1090137857-3754972333-3595315735
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7229AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0860DE5F-2F01-40FA-AD54-D0DF172A4CD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71FD2A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71FD2A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71FD2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F022
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:01:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F274
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F274
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F1AA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F1AA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F1AA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F147
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F147
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F147
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F022
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2195181790-1219938364-2283160456-834284719
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71F022
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82D7D0DE-C83C-48B6-8843-1688AF2CBA31
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71D56D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71D56D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71D56D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BC01
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BD46
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BD46
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCF1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCF1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCF1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCAC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCAC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BCAC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BC01
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-284515019-1257660080-1177314967-2270965769
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x71BC01
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 10F55ACB-5EB0-4AF6-9766-2C4609305C87
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x71B3B8 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x71B3B8 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:56 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7112D1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7112D1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 8:00:50 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x6FD686 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x6FD686 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:20 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:09 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 8:00:09 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x11f4
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 7:58:37 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xe48
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 7:57:45 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:27:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:27:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:10:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:10:35 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0x1148
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:10:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:08:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:08:02 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF986E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:28 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:28 AM | f5d3ff27-a574-0004-0602-d4f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF0FCC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xF0FCC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:22 AM | f5d3ff27-a574-0004-d301-d4f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xEC604
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0xEC604
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:19 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:19 AM | f5d3ff27-a574-0001-a001-d4f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_786ef395-3903-4272-99d8-12d94c0055ca
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Create Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_786ef395-3903-4272-99d8-12d94c0055ca
Operation: Write persisted key to file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016 | 5061 | 0 | | 0 | 12290 | 0 | -9218868437227405312 | 14196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Delete key file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:07:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/1/2022 7:06:36 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0x39c
Process Name: C:\Windows\System32\net1.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:36 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x5b8
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:22 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:06:04 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x90373
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:01 AM | f5d3ff27-a574-0004-b3ff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x8F857
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x8F857
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x8F857
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0000-0300-d4f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 95141c15-9298-4e26-bc9f-3eb009453441
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 95141c15-9298-4e26-bc9f-3eb009453441
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8c0c52fe803808023428fa24f32eb5a1_786ef395-3903-4272-99d8-12d94c0055ca
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:06:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/1/2022 7:05:57 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:52 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Member:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:51 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x773D4
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:51 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x248
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:51 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon ID: 0x773D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:46 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xd1c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:46 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:46 AM | f5d3ff27-a574-0002-8eff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/1/2022 7:05:41 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x210
User Account Control:
Account Enabled
'Password Not Required' - Disabled
'Don't Expire Password' - Enabled
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was enabled.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014 | 4722 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was created.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
New Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: Admin
Account Domain: HV-CINDER-74014
Attributes:
SAM Account Name: Admin
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges - | 4720 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Member:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1001
Account Name: -
Group:
Security ID: S-1-5-21-1127384214-859305069-3491056595-513
Group Name: None
Group Domain: HV-CINDER-74014
Additional Information:
Privileges: - | 4728 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:41 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x57044
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xfd8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-87ff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/1/2022 7:05:17 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xfd8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0xfd8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:17 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain: HV-CINDER-74014
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xC0000224
Sub Status: 0x0
Process Information:
Caller Process ID: 0x248
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4625 | 0 | | 0 | 12544 | 0 | -9218868437227405312 | 14147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:14 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014
Process Information:
Process ID: 0x528
Process Name: C:\Windows\System32\LogonUI.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:14 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:12 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x248
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:08 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:06 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xa10
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:06 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:06 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:06 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_786ef395-3903-4272-99d8-12d94c0055ca
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_786ef395-3903-4272-99d8-12d94c0055ca
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon ID: 0x2D013
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: HV-CINDER-74014
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: HV-CINDER-74014
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-74014
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:03 AM | f5d3ff27-a574-0002-62ff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:01 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:05:00 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x20B17
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x248
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x248
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x248
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x540
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:59 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x45c
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5a4
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?01T07:04:57.877114300Z
New Time: ?2022?-?08?-?01T07:04:58.421000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-74014 | | 8/1/2022 7:04:58 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x5d8
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\oobe\msoobe.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 316 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-cinder-74014 | | 8/1/2022 7:04:57 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-1127384214-859305069-3491056595-513
Group Name: None
Group Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: None
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-513
Account Domain: HV-CINDER-74014
Old Account Name: None
New Account Name: None
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-1127384214-859305069-3491056595-513
Group Name: None
Group Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-501
Account Name: Guest
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-501
Account Name: Guest
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-500
Account Name: Administrator
Account Domain: HV-CINDER-74014
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: System Managed Accounts Group
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-581
Account Domain: Builtin
Old Account Name: System Managed Accounts Group
New Account Name: System Managed Accounts Group
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Storage Replica Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-582
Account Domain: Builtin
Old Account Name: Storage Replica Administrators
New Account Name: Storage Replica Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Management Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-580
Account Domain: Builtin
Old Account Name: Remote Management Users
New Account Name: Remote Management Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Access Control Assistance Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-579
Account Domain: Builtin
Old Account Name: Access Control Assistance Operators
New Account Name: Access Control Assistance Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Hyper-V Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-578
Account Domain: Builtin
Old Account Name: Hyper-V Administrators
New Account Name: Hyper-V Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Management Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-577
Account Domain: Builtin
Old Account Name: RDS Management Servers
New Account Name: RDS Management Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Endpoint Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-576
Account Domain: Builtin
Old Account Name: RDS Endpoint Servers
New Account Name: RDS Endpoint Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Remote Access Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-575
Account Domain: Builtin
Old Account Name: RDS Remote Access Servers
New Account Name: RDS Remote Access Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Certificate Service DCOM Access
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-574
Account Domain: Builtin
Old Account Name: Certificate Service DCOM Access
New Account Name: Certificate Service DCOM Access
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Event Log Readers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-573
Account Domain: Builtin
Old Account Name: Event Log Readers
New Account Name: Event Log Readers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Cryptographic Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-569
Account Domain: Builtin
Old Account Name: Cryptographic Operators
New Account Name: Cryptographic Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: IIS_IUSRS
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-568
Account Domain: Builtin
Old Account Name: IIS_IUSRS
New Account Name: IIS_IUSRS
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Distributed COM Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-562
Account Domain: Builtin
Old Account Name: Distributed COM Users
New Account Name: Distributed COM Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Log Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-559
Account Domain: Builtin
Old Account Name: Performance Log Users
New Account Name: Performance Log Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Monitor Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-558
Account Domain: Builtin
Old Account Name: Performance Monitor Users
New Account Name: Performance Monitor Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Power Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-547
Account Domain: Builtin
Old Account Name: Power Users
New Account Name: Power Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Network Configuration Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-556
Account Domain: Builtin
Old Account Name: Network Configuration Operators
New Account Name: Network Configuration Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Desktop Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-555
Account Domain: Builtin
Old Account Name: Remote Desktop Users
New Account Name: Remote Desktop Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Replicator
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-552
Account Domain: Builtin
Old Account Name: Replicator
New Account Name: Replicator
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Backup Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-551
Account Domain: Builtin
Old Account Name: Backup Operators
New Account Name: Backup Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Guests
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-546
Account Domain: Builtin
Old Account Name: Guests
New Account Name: Guests
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-545
Account Domain: Builtin
Old Account Name: Users
New Account Name: Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-544
Account Domain: Builtin
Old Account Name: Administrators
New Account Name: Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Print Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-550
Account Domain: Builtin
Old Account Name: Print Operators
New Account Name: Print Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-cinder-74014 | | 8/1/2022 7:04:55 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:44 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB54A
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB538
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB54A
Linked Logon ID: 0xB538
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB538
Linked Logon ID: 0xB54A
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 888 | hv-cinder-74014 | | 8/1/2022 7:04:43 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 7:04:42 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-74014$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-cinder-74014 | | 8/1/2022 7:04:42 AM | f5d3ff27-a574-0002-2bff-d3f574a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x619C | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 868 | hv-cinder-74014 | | 8/1/2022 7:04:42 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x330
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 388 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x320
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 516 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b0
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x298
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-74014 | | 8/1/2022 7:04:41 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x250
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 388 | hv-cinder-74014 | | 8/1/2022 7:04:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x248
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 388 | hv-cinder-74014 | | 8/1/2022 7:04:40 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x218
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-74014 | | 8/1/2022 7:04:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d8
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 388 | hv-cinder-74014 | | 8/1/2022 7:04:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d4
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-74014 | | 8/1/2022 7:04:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-74014 | | 8/1/2022 7:04:38 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5d4
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?01T07:04:20.513380300Z
New Time: ?2022?-?08?-?01T07:04:20.512000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 476 | WIN-5T344G8GM1H | | 8/1/2022 7:04:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13967 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1312 | 1568 | WIN-5T344G8GM1H | | 8/1/2022 7:04:20 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:04:14 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:04:14 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:59 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/1/2022 7:03:59 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:59 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x4dc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:59 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-1127384214-859305069-3491056595-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x4dc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:59 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x3e0
Process Information:
Process ID: 0x4a8
Process Name: C:\Windows\System32\oobe\Setup.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 476 | WIN-5T344G8GM1H | | 8/1/2022 7:03:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:09 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:09 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x63041
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:07 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:06 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:06 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | WIN-5T344G8GM1H | | 8/1/2022 7:03:06 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:06 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 876 | WIN-5T344G8GM1H | | 8/1/2022 7:03:06 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x520
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2022?-?08?-?01T07:03:05.252632500Z
New Time: ?2022?-?08?-?01T07:03:05.423000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:03:05 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:57 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:57 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x578A0
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x5788E
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x578A0
Linked Logon ID: 0x5788E
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x5788E
Linked Logon ID: 0x578A0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 920 | WIN-5T344G8GM1H | | 8/1/2022 7:02:56 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:55 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x330
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 868 | WIN-5T344G8GM1H | | 8/1/2022 7:02:55 AM | ab757b1f-a574-0005-257b-75ab74a5d801 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x500A6 | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 880 | WIN-5T344G8GM1H | | 8/1/2022 7:02:55 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 836 | WIN-5T344G8GM1H | | 8/1/2022 7:02:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 832 | 836 | WIN-5T344G8GM1H | | 8/1/2022 7:02:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x340
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2c0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x330
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2c0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2e4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2a0
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:54 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2c0
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x260
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a8
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2a0
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a0
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x268
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x260
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 240 | WIN-5T344G8GM1H | | 8/1/2022 7:02:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x260
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 240 | WIN-5T344G8GM1H | | 8/1/2022 7:02:53 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x23c
New Process Name: C:\Windows\System32\setupcl.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:36 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x20c
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e8
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 240 | WIN-5T344G8GM1H | | 8/1/2022 7:02:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e8
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e4
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/1/2022 7:02:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x4dc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z
New Time: ?2018?-?01?-?19T09:48:13.152000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 1980 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13901 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1144 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| User initiated logoff:
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. | 4647 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 13900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:48:12 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 1/19/2018 9:47:34 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age: ??
Max. Password Age:
Force Logoff: ??
Lockout Threshold:
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: 0
Machine Account Quota: 0
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
User:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xfac
Process Name: C:\Windows\System32\Sysprep\sysprep.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The audit log was cleared.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Domain Name: WIN-5T344G8GM1H
Logon ID: 0x1F0E3 | 1102 | 0 | | 4 | 104 | 0 | 4620693217682128896 | 13887 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1136 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Log clear | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |