| Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
|---|
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x1074
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:04:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9E0C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:04:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F2B41
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F2B41
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F2B41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDFE5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDFE5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDFE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EA81B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EA81B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EA81B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9CC8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9E0C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9E0C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9DB7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9DB7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9DB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9D72
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9D72
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9D72
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9CC8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2412360816-1075659480-1313424019-791034010
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9CC8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8FC9B470-42D8-401D-9342-494E9A38262F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:01:19 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9E5804 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:00:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9E5804 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:00:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A5E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 7:00:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98DA11
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9D20DA | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9D20DA | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A36C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA197
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C19D5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C19D5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C19D5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDD38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDD38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDD38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BAC9A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BAC9A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BAC9A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA057
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA197
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA197
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA142
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA142
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA142
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA0FD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA0FD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA0FD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA057
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961388107-1218901965-2282066363-2994003470
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BA057
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC1DFC4B-F7CD-48A6-BB91-05880EDE74B2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9E2F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:59:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B4CED
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:22 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B4CED
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B4CED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF226
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF226
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF226
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AAAF3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AAAF3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AAAF3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9CEE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9E2F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9E2F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9DDA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9DDA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9DDA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9D95
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9D95
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9D95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9CEE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2663506322-1140586223-475236738-1562694142
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9CEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EC1E192-F6EF-43FB-8289-531CFED1245D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:59:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978440
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:58:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x998F30
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:58:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x998F30
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:58:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x998F30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:58:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:58:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x994C0A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x994C0A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x994C0A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x991522
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x991522
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x991522
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D7A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98DA11
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98DA11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D97D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D97D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D97D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D8FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D8FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D8FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D7A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4230908293-1126747787-1873142451-2105551820
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98D7A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC2E8985-CE8B-4328-B3E2-A56FCC2B807D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98BA8A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98BA8A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:51 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98BA8A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:51 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:51 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A22A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A36C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A36C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A317
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A317
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A317
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A2D2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A2D2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A2D2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A22A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2661365287-1210057566-3742221712-1362627178
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A22A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9EA13627-035E-4820-90C5-0DDF6A0A3851
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95BA37
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x982CC5 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x982CC5 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97EE62
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97EE62
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97EE62
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBEB3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978F0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978F0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978F0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978304
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978440
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978440
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783EB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783EB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783EB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9783A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978304
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4004542974-1332339678-4016007853-3671262750
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x978304
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EEB079FE-E3DE-4F69-AD6A-5FEF1E06D3DA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:57:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937EC7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9723A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9723A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9723A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:57:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96042A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96042A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96042A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95DCAB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95DCAB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95DCAB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:56:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B861
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95BA37
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95BA37
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B975
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B975
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B975
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B916
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B916
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B916
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B861
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1248056371-1167126574-3792247686-4083808540
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95B861
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4A63D433-F02E-4590-861B-09E21CF969F3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8EEF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x950593
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x950593
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x950593
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94BE20
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94BE20
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94BE20
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949910
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A5E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A5E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A09
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A09
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949A09
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9499C3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9499C3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9499C3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949910
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-437607116-1122934785-2594461062-3546060352
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x949910
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1A155ACC-A001-42EE-8655-A49A40965CD3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CFBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93F309
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93F309
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:12 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93F309
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:12 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:12 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9389C1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9389C1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9389C1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937D80
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937EC7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937EC7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E72
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E72
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E72
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E2D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E2D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937E2D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937D80
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2524996306-1177333742-1282625449-1469570147
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x937D80
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 968062D2-AFEE-462C-A94F-734C63DC9757
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:55:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE8E3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:54:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92D331
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92D331
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92D331
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x925367 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x925367 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x922B87 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x922B87 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:54:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EE027
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91933D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91933D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91933D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9112C3 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:51 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9112C3 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:51 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90CE92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90CE92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90CE92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x90C221 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x90C221 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x901843
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x901843
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x901843
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE6DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FF918
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FF918
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FF918
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE8E3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE8E3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE84E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE84E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE84E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE807
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE807
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE807
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE6DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-401558094-1080237503-1200627370-4044297423
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FE6DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 17EF4A4E-1DBF-4063-AA1E-9047CF140FF1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F88CC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F88CC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F88CC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C145
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:13 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2508
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2508
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F2508
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EF1E5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EF1E5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EF1E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDEE4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EE0BD | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EE0BD | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:07 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EE027
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EE027
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDFD2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDFD2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDFD2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDF8D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDF8D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDF8D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDEE4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-87491103-1241696696-4115715200-1418807867
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8EDEE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0537021F-C9B8-4A02-80D4-50F53B4A9154
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:53:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EAD83 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8EAD83 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8E7998 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:48 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8E7998 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:48 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8251AA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8E25A8 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:41 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8E25A8 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:41 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DAF06
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DAF06
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DAF06
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8D8596 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8D8596 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFF39
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFF39
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CFF39
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C84BA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:22 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C84BA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C84BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:22 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBBAB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:22 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8BE2E3 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:21 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8BE2E3 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:21 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBEB3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBEB3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBE13
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBE13
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBE13
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBDAA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBDAA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBDAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBBAB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-834402074-1159803011-2522338226-4184779397
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BBBAB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 31BBF71A-3083-4521-B2D3-579685AA6EF9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:16 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9F5D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9F5D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9F5D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8B8F4C | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8B8F4C | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:14 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8AC2C5 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8AC2C5 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:52:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8CB7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A997A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A997A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:04 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A997A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:04 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:04 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8EEF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8EEF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E80
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E80
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E80
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E12
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E12
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8E12
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8CB7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1328835739-1268947794-1405538738-3433097108
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A8CB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4F346C9B-9B52-4BA2-B2D1-C65394E7A0CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A787F | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:02 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8A787F | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:52:02 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793E9E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A2258
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A2258
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A2258
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BA98
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BA98
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89BA98
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CD30
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CFBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CFBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CF52
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CF52
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CF52
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CEE3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CEE3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CEE3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7925CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CD30
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-676691919-1171985467-615879869-1736391690
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88CD30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 28557FCF-143B-45DB-BD94-B5240A3C7F67
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:46 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8E0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87F7BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87F7BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87F7BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87C3D5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87C3D5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87C3D5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2FD6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8742F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8742F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8742F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:51:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87043E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87043E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87043E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:29 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86EA8C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86EA8C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x86EA8C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:28 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCFA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E442
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:22 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85A530
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:13 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85A530
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85A530
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x855DCA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x855DCA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x855DCA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x851790
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x851790
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x851790
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:51:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8499FF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8499FF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8499FF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8494B4 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8494B4 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x846785
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x846785
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x846785
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8436D6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8436D6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8436D6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E0A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E442
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E442
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E3A8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E3A8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E3A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E32D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E32D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E32D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E18D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E18D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E18D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E0A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3720991138-1236992548-1195158150-569512397
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83E0A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DDC9D1A2-0224-49BB-86AA-3C47CD11F221
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:33 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x83ABA4 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x83ABA4 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83AA00
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83AA00
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83AA00
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x836C2F | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:26 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x836C2F | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:26 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8358BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8358BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8358BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x833DD1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x833DD1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:20 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83278D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83278D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x83278D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x82F8FC | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x82F8FC | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x82AADA | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x82AADA | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82A16C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82A16C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82A16C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824D9F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826F80
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826F80
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x826F80
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807C22
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8251AA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8251AA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x825116
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x825116
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x825116
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8250CB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8250CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8250CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824D9F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3824891554-1156192926-2265124523-3783705682
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x824D9F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E3FB36A2-1A9E-44EA-AB0E-038752C486E1
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x824988 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x824988 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:50:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81B518
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81B518
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x81B518
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x814C51
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x814C51
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x814C51
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x812ACA | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x812ACA | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x810CB0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x810CB0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x810CB0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80FB5A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80FB5A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80FB5A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80BAA1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80BAA1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80BAA1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x808AB4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x808AB4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:40 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x808AB4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:40 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:40 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807AE0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807C22
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807C22
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807BCD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807BCD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807BCD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807B88
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807B88
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807B88
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807AE0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-757872889-1325438518-3049800340-4156857390
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x807AE0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2D2C38F9-9636-4F00-9442-C8B52E9CC4F7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80176E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80176E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80176E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FF9EF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7FFD9B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7FFD9B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCFA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFCFA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFC60
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFC60
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFC60
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFBEF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFBEF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FFBEF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FF9EF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-291691450-1110762821-1005555118-1046684900
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7FF9EF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1162DBBA-E545-4234-AE8D-EF3BE424633E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7FE20D | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:27 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7FE20D | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:27 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F5C07 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F5C07 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F4701
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F4701
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F4701
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:15 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F1838 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F1838 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8DA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:49:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E5678
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E5678
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E5678
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2D97
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2FD6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2FD6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2F17
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2F17
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2F17
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2EC1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2EC1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2EC1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2D97
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2293240405-1188426155-275656346-1231587211
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2D97
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 88B01255-F1AB-46D5-9A2E-6E108B876849
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2837
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2837
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E2837
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:57 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CE4DB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CE4DB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CE4DB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD416
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD416
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD416
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD0BC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD0BC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7CD0BC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:49 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C51A4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C51A4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:47 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7C51A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:47 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:47 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B9A3D | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7B9A3D | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:44 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AEE05
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AEE05
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AEE05
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7ADE1A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7ADE1A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AAAD9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AAAD9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7AAAD9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x79F21E | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x79F21E | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:31 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798FBA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798F1B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798FBA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798FBA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798F1B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798F1B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798342
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798342
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x798342
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:25 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793B21
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791960
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BB50
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793E9E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793E9E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793DE3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793DE3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793DE3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793D77
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793D77
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793D77
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x793BFC | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x793BFC | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793B21
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1005693248-1285840278-1202133148-2612980759
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x793B21
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3BF1A940-5D96-4CA4-9C18-A74717ECBE9B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7925CB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7925CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x792452
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x792452
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x792452
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7923AF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7923AF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7923AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791960
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2925908535-1210527474-120064667-2876619793
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x791960
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE65D237-2EF2-4827-9B0A-280711BC75AB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:23 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C145
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C145
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C088
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C088
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78C088
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BFD8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BFD8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BFD8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BB50
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-592130263-1328959550-723252907-3121989180
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x78BB50
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 234B30D7-503E-4F36-ABF6-1B2B3CC615BA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78745D | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x78745D | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DB9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DAB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DB9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DB9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DAB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x782DAB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8E0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8E0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8DA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E8DA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E39D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E390
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E39D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E39D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E390
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E390
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77E1F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2642507994-1265172767-876126386-583310317
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D8178DA-011F-4B69-B2A0-3834ED9BC422
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1926679759-1146971387-3013600642-4208911851
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x77AF8E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 72D6CCCF-64FB-445D-82E5-9FB3EBE5DEFA
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:48:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x775BD9 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:48:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x775BD9 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:48:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x770718 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:48:02 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x770718 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:48:02 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:47:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:47:42 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x10cc
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:46:18 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x117c
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:45:21 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:35:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:35:32 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:19:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:19:06 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xe44
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:18:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:17 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x110508
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:17 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:17 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:17 PM | 3d21217a-c770-0001-ce24-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x104A08
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:15:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x104A08
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:15:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:15:11 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:15:11 PM | 3d21217a-c770-0000-7724-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0xFFEBB
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0xFFEBB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:08 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:15:08 PM | 3d21217a-c770-0003-0024-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:14:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:14:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:14:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:14:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:14:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 10/22/2021 6:14:00 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:14:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0x9c8
Process Name: C:\Windows\System32\net1.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:14:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_2882a854-3c8c-4e85-b01e-a112cdf7c421
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Create Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_2882a854-3c8c-4e85-b01e-a112cdf7c421
Operation: Write persisted key to file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016 | 5061 | 0 | | 0 | 12290 | 0 | -9218868437227405312 | 14194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Delete key file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:56 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x264
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:13:35 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x90AA0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:13 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:13:13 PM | 3d21217a-c770-0004-bc22-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:12:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5a4
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?10?-?22T18:12:53.809513200Z
New Time: ?2021?-?10?-?22T18:12:53.801000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 228 | hv-cinder-81514 | | 10/22/2021 6:12:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x8E662
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x8E662
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x8E662
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0000-6c22-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 1ee81e03-c477-4a30-96dc-df163896fa03
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 1ee81e03-c477-4a30-96dc-df163896fa03
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\da963f30056f8ffb4d7edd94a56622fa_2882a854-3c8c-4e85-b01e-a112cdf7c421
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:45 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 10/22/2021 6:12:43 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:43 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:39 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Member:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x7885D
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon ID: 0x7885D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xcf4
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0003-e221-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 10/22/2021 6:12:34 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x210
User Account Control:
Account Enabled
'Password Not Required' - Disabled
'Don't Expire Password' - Enabled
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was enabled.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514 | 4722 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was created.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
New Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: Admin
Account Domain: HV-CINDER-81514
Attributes:
SAM Account Name: Admin
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges - | 4720 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Member:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1001
Account Name: -
Group:
Security ID: S-1-5-21-3849261512-1226503618-816449958-513
Group Name: None
Group Domain: HV-CINDER-81514
Additional Information:
Privileges: - | 4728 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:34 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x5A267
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x528
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:10 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:10 PM | 3d21217a-c770-0002-9422-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 10/22/2021 6:12:09 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0x528
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0x528
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain: HV-CINDER-81514
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xC0000224
Sub Status: 0x0
Process Information:
Caller Process ID: 0x250
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4625 | 0 | | 0 | 12544 | 0 | -9218868437227405312 | 14147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514
Process Information:
Process ID: 0xf04
Process Name: C:\Windows\System32\LogonUI.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:09 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:05 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:12:05 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:03 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x96c
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:12:00 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_2882a854-3c8c-4e85-b01e-a112cdf7c421
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_2882a854-3c8c-4e85-b01e-a112cdf7c421
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:59 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon ID: 0x2ED54
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: HV-CINDER-81514
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: HV-CINDER-81514
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:58 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-81514
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:58 PM | 3d21217a-c770-0000-cd21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:55 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:54 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x20441
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-cinder-81514 | | 10/22/2021 6:11:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x4e8
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x548
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5a8
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?10?-?22T18:11:52.518363700Z
New Time: ?2021?-?10?-?22T18:11:52.082000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 228 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x510
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\oobe\msoobe.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 936 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 884 | hv-cinder-81514 | | 10/22/2021 6:11:52 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-3849261512-1226503618-816449958-513
Group Name: None
Group Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: None
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-513
Account Domain: HV-CINDER-81514
Old Account Name: None
New Account Name: None
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-3849261512-1226503618-816449958-513
Group Name: None
Group Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-501
Account Name: Guest
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-501
Account Name: Guest
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-500
Account Name: Administrator
Account Domain: HV-CINDER-81514
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: System Managed Accounts Group
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-581
Account Domain: Builtin
Old Account Name: System Managed Accounts Group
New Account Name: System Managed Accounts Group
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Storage Replica Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-582
Account Domain: Builtin
Old Account Name: Storage Replica Administrators
New Account Name: Storage Replica Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Management Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-580
Account Domain: Builtin
Old Account Name: Remote Management Users
New Account Name: Remote Management Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Access Control Assistance Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-579
Account Domain: Builtin
Old Account Name: Access Control Assistance Operators
New Account Name: Access Control Assistance Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Hyper-V Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-578
Account Domain: Builtin
Old Account Name: Hyper-V Administrators
New Account Name: Hyper-V Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Management Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-577
Account Domain: Builtin
Old Account Name: RDS Management Servers
New Account Name: RDS Management Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Endpoint Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-576
Account Domain: Builtin
Old Account Name: RDS Endpoint Servers
New Account Name: RDS Endpoint Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Remote Access Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-575
Account Domain: Builtin
Old Account Name: RDS Remote Access Servers
New Account Name: RDS Remote Access Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Certificate Service DCOM Access
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-574
Account Domain: Builtin
Old Account Name: Certificate Service DCOM Access
New Account Name: Certificate Service DCOM Access
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Event Log Readers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-573
Account Domain: Builtin
Old Account Name: Event Log Readers
New Account Name: Event Log Readers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Cryptographic Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-569
Account Domain: Builtin
Old Account Name: Cryptographic Operators
New Account Name: Cryptographic Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: IIS_IUSRS
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-568
Account Domain: Builtin
Old Account Name: IIS_IUSRS
New Account Name: IIS_IUSRS
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Distributed COM Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-562
Account Domain: Builtin
Old Account Name: Distributed COM Users
New Account Name: Distributed COM Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Log Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-559
Account Domain: Builtin
Old Account Name: Performance Log Users
New Account Name: Performance Log Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Monitor Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-558
Account Domain: Builtin
Old Account Name: Performance Monitor Users
New Account Name: Performance Monitor Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Power Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-547
Account Domain: Builtin
Old Account Name: Power Users
New Account Name: Power Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Network Configuration Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-556
Account Domain: Builtin
Old Account Name: Network Configuration Operators
New Account Name: Network Configuration Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Desktop Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-555
Account Domain: Builtin
Old Account Name: Remote Desktop Users
New Account Name: Remote Desktop Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Replicator
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-552
Account Domain: Builtin
Old Account Name: Replicator
New Account Name: Replicator
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Backup Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-551
Account Domain: Builtin
Old Account Name: Backup Operators
New Account Name: Backup Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Guests
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-546
Account Domain: Builtin
Old Account Name: Guests
New Account Name: Guests
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-545
Account Domain: Builtin
Old Account Name: Users
New Account Name: Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-544
Account Domain: Builtin
Old Account Name: Administrators
New Account Name: Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Print Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-550
Account Domain: Builtin
Old Account Name: Print Operators
New Account Name: Print Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 848 | hv-cinder-81514 | | 10/22/2021 6:11:50 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:38 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB58F
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB57D
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB58F
Linked Logon ID: 0xB57D
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB57D
Linked Logon ID: 0xB58F
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 900 | hv-cinder-81514 | | 10/22/2021 6:11:37 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:11:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-81514$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 860 | hv-cinder-81514 | | 10/22/2021 6:11:36 PM | 3d21217a-c770-0002-7b21-213d70c7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x61BD | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 864 | hv-cinder-81514 | | 10/22/2021 6:11:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 816 | hv-cinder-81514 | | 10/22/2021 6:11:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 812 | 816 | hv-cinder-81514 | | 10/22/2021 6:11:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x32c
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2ac
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x31c
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2ac
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d0
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x28c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2ac
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x244
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x294
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x28c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x28c
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-81514 | | 10/22/2021 6:11:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x24c
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x244
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 364 | hv-cinder-81514 | | 10/22/2021 6:11:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x244
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 364 | hv-cinder-81514 | | 10/22/2021 6:11:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x214
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 228 | hv-cinder-81514 | | 10/22/2021 6:11:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-81514 | | 10/22/2021 6:11:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d0
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-81514 | | 10/22/2021 6:11:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-81514 | | 10/22/2021 6:11:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5cc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?10?-?22T18:11:17.689398000Z
New Time: ?2021?-?10?-?22T18:11:17.686000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 10/22/2021 6:11:17 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13967 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1300 | 1536 | WIN-5T344G8GM1H | | 10/22/2021 6:11:17 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:11:07 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:11:07 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:10:53 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 10/22/2021 6:10:52 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:10:53 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x2ac
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:10:52 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3849261512-1226503618-816449958-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x2ac
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:10:52 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x3b4
Process Information:
Process ID: 0x49c
Process Name: C:\Windows\System32\oobe\Setup.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 592 | WIN-5T344G8GM1H | | 10/22/2021 6:10:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:10:01 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:10:01 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:10:00 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x627E9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:59 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 236 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x514
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?10?-?22T18:09:58.487037100Z
New Time: ?2021?-?10?-?22T18:09:58.374000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:58 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:51 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:51 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:50 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:50 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x577DA
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x577C8
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x577DA
Linked Logon ID: 0x577C8
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2dc
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x577C8
Linked Logon ID: 0x577DA
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2dc
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2dc
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 10/22/2021 6:09:49 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:48 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 10/22/2021 6:09:48 PM | f22a5eb6-c76f-0005-ba5e-2af26fc7d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x500E4 | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 876 | WIN-5T344G8GM1H | | 10/22/2021 6:09:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 10/22/2021 6:09:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 10/22/2021 6:09:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x338
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x328
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2dc
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b8
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x254
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a0
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x294
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x25c
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x254
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 10/22/2021 6:09:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x254
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 10/22/2021 6:09:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x238
New Process Name: C:\Windows\System32\setupcl.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 10/22/2021 6:09:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x208
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 10/22/2021 6:09:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 10/22/2021 6:09:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e0
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 10/22/2021 6:09:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 10/22/2021 6:09:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x4dc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z
New Time: ?2018?-?01?-?19T09:48:13.152000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 1980 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13901 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1144 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| User initiated logoff:
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. | 4647 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 13900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:48:12 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 1/19/2018 9:47:34 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age: ??
Max. Password Age:
Force Logoff: ??
Lockout Threshold:
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: 0
Machine Account Quota: 0
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
User:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xfac
Process Name: C:\Windows\System32\Sysprep\sysprep.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The audit log was cleared.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Domain Name: WIN-5T344G8GM1H
Logon ID: 0x1F0E3 | 1102 | 0 | | 4 | 104 | 0 | 4620693217682128896 | 13887 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1136 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Log clear | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |