Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x44c
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 15504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 5:06:17 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12FC8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 5:05:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23261
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:05:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC3129B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:05:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC3129B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:05:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC3129B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:05:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:05:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC27796
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC27796
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC27796
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23C65
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23C65
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23C65
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23124
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23261
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23261
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC2320C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC2320C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC2320C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC231C7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC231C7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC231C7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23124
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1794902335-1233945869-2158119053-2738895305
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC23124
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6AFC093F-850D-498C-8D48-A280C93940A3
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:04:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC21A0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:03:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC21A0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:03:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC21A0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:03:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:03:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC17141
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC17141
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC17141
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC1399B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC1399B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC1399B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12E85
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12FC8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12FC8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F73
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F73
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F2E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F2E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12F2E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12E85
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3626761800-1323487449-1201930916-1641079456
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC12E85
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D82BFE48-D0D9-4EE2-A402-A447A0E2D061
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFBBC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 5:01:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC04F95
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC04F95
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC04F95
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC015D1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC015D1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xC015D1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFA6D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFBBC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFBBC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB67
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB67
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB67
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB21
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB21
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFB21
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFA6D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2797465904-1148499032-1992409988-1333054400
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBFFA6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A6BDF130-B458-4474-84C3-C176C0CB744F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE9240
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:59:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEF8B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEF8B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEF8B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEBFA8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEBFA8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBEBFA8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE90F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE9240
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE9240
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91EB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91EB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91EB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91A5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91A5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE91A5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE90F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1772584572-1333490274-695477160-3327340053
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBE90F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 69A77E7C-7262-4F7B-A823-7429152E53C6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:57:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8333
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:56:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBDC3DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBDC3DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBDC3DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8CA8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8CA8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8CA8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD81F3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8333
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8333
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD82DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD82DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD82DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8299
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8299
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD8299
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD81F3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1973336063-1171244709-2041061511-611321945
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD81F3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 759EB7FF-C6A5-45CF-8720-A87959087024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:55:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1309
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:55:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD1552
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:55:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD1552
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:55:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBD1552
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:55:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:55:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC5355
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC5355
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC5355
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1CD3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1CD3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1CD3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC11C6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1309
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC1309
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC12B4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC12B4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC12B4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC126F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC126F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC126F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC11C6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1913508589-1327041969-2228372888-2038023735
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBC11C6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 720DD2ED-0DB1-4F19-9845-D28437C67979
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE79C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:52:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBB29F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBB29F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBB29F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAF200
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAF200
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAF200
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE659
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE79C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE79C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE747
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE747
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE747
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE702
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE702
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE702
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE659
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1102598365-1190059825-1463905464-2612199421
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xBAE659
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 41B850DD-DF31-46EE-B86C-4157FDFFB29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99861
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:51:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9DA62
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9DA62
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9DA62
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9A226
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9A226
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9A226
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99721
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99861
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99861
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9980C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9980C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB9980C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB997C7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB997C7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB997C7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99721
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-169056043-1202267678-4263528853-44022611
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB99721
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 0A13972B-261E-47A9-9549-20FE53BB9F02
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D91C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8C2E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D91C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D91C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D8C7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D8C7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D8C7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D882
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D882
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8D882
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8C2E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB8C2E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D7E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:49:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB82938
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB82938
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB82938
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7E9E2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7E9E2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7E9E2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D63A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D7E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D7E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D73A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D73A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D73A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D6E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D6E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D6E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D63A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-163881126-1324528611-3485180809-3714990155
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB7D63A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 09C4A0A6-B3E3-4EF2-89A3-BBCF4B406EDD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:48:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:47:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB6D4D3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB6D4D3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB6D4D3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69C4F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69C4F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69C4F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB690B8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691A6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691A6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB691A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69161
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69161
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB69161
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB690B8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1873858885-1279810878-3754715066-1370892251
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB690B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6FB0D145-5D3E-4C48-BA67-CCDFDB27B651
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:46:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB57A25
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:45:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5BE63
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:17 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5BE63
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:17 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5BE63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:17 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:17 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB583F4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB583F4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB583F4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB578E2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB57A25
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB57A25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB579D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB579D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB579D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5798B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5798B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB5798B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB578E2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2752654027-1216501696-2806834832-58980378
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB578E2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A4122ACB-57C0-4882-90E6-4CA71AF88303
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:45:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC69
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:44:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB451DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB451DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB451DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB40E2A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB40E2A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB40E2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3D65B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3D65B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3D65B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CB2A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC69
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC69
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC14
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC14
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CC14
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CBCF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CBCF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CBCF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CB2A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1058753457-1322587569-1547401606-3412860565
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3CB2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3F1B4BB1-15B1-4ED5-8679-3B5C951E6CCB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 4324 | hv-neutron-8080 | | 9/9/2021 4:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A274
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3243B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3243B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB3243B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2E15E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2E15E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2E15E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2AC2A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2AC2A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2AC2A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A132
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A274
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A274
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A21F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A21F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A21F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A1DA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A1DA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A1DA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A132
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1079355420-1320764083-1385588609-438585839
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2A132
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 4055A81C-42B3-4EB9-8167-9652EF49241A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18979
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:42:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2116A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2116A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB2116A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1CB92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1CB92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1CB92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB19366
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB19366
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB19366
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1883B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18979
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18979
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18924
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18924
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB18924
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB188DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB188DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB188DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1883B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1375363281-1203365114-4216379296-1401285073
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB1883B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 51FA60D1-E4FA-47B9-A0D7-50FBD1E98553
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:38 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE4CD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:41:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F66
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB0B150
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB0B150
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB0B150
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB069E2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB069E2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB069E2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05E24
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F66
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F66
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F11
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F11
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05F11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05ECC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05ECC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05ECC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05E24
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2409184380-1203502333-962860946-3976206426
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB05E24
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 8F993C7C-FCFD-47BB-9217-64395A1800ED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB02557
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB02557
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xB02557
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFEEA4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFEEA4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFEEA4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE38B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE4CD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE4CD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE478
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE478
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE478
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE433
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE433
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE433
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE38B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-597309318-1332045608-3065057690-219845002
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAFE38B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 239A3786-6728-4F65-9A11-B1B68A911A0D
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E8D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF01F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E8D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E8D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2E38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2DF3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2DF3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF2DF3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF01F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAF01F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:14 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7369
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE3E5A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7369
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7369
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7314
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7314
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE7314
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE72CF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE72CF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE72CF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:40:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE3E5A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAE3E5A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCD0D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xADAFE9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xADAFE9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xADAFE9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:39:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAD0F47
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAD0F47
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAD0F47
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACD74B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACD74B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACD74B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCBCB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCD0D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCD0D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCCB8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCCB8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCCB8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCC73
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCC73
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCC73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCBCB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1914090991-1130585078-2418203776-2040588741
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xACCBCB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7216B5EF-5BF6-4363-80DC-2290C5E9A079
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC2641
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:38:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC180A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC2641
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC2641
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25EC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25EC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25EC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25A7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25A7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC25A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC180A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAC180A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 15004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94F5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB7F58
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 15002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94F5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 15001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 15000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94A0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94A0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB94A0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB945B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB945B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB945B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB7F58
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAB7F58
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6D1F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:38:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAAAEDC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAAAEDC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAAAEDC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:29 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA775F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA775F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA775F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6BDB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6D1F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6D1F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6CCA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6CCA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6CCA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6C85
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6C85
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6C85
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6BDB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-753061917-1315286560-3597584269-273232631
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xAA6BDB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2CE2D01D-AE20-4E65-8DC7-6ED6F7324910
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:37:24 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CF08
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9B8F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CF08
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CF08
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CEB3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CEB3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CEB3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CE6E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CE6E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9CE6E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9B8F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA9B8F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89CB8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:37:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DE1D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DE1D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DE1D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8A693
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8A693
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8A693
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89B7B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89CB8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89CB8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C63
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C63
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C1E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C1E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89C1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89B7B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-353756315-1339426458-1884620200-3716272107
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89B7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 1515E49B-069A-4FD6-A805-5570EBCF81DD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80786
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:36:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7F1E9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80786
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80786
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80731
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80731
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA80731
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA806EC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA806EC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA806EC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7F1E9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7F1E9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:56 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E330
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7264D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7264D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA7264D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6ECF3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6ECF3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6ECF3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E1F3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E330
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E330
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E2DB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E2DB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E2DB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E296
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E296
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E296
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E1F3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1069943952-1332399825-567029684-2810143703
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6E1F3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3FC60C90-CED1-4F6A-B42F-CC21D7637FA7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:35:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA632E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA61CDA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA632E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA632E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6328E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6328E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6328E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA63249
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA63249
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA63249
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA61CDA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA61CDA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA59D2C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA59D2C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA59D2C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:34:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA564E1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA564E1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA564E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55950
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A3D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A3D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55A3D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA559F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA559F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA559F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55950
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3577391492-1207421502-1907897735-3312426650
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA55950
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D53AA984-CA3E-47F7-8735-B8719A9E6FC5
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C0B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:34:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4AB4C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C0B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C0B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C061
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C061
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C061
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C01C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C01C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4C01C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4AB4C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA4AB4C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:57 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D7B1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA417FE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA417FE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:25 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA417FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:25 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:25 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3E187
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3E187
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3E187
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D66E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D7B1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D7B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D75C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D75C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D75C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D717
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D717
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D717
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D66E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3657574183-1233658418-3332365449-1048552530
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA3D66E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DA022727-2232-4988-89DC-9FC652A47F3E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA33550
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA31F34
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA33550
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA33550
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA334B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA31F34
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA31F34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2489F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:33:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28884
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28884
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28884
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2525E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2525E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2525E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24763
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2489F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2489F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2484A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2484A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2484A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24805
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24805
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24805
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24763
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3889492031-1290473350-2095367064-62473019
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA24763
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7D4F03F-0F86-4CEB-98C3-E47C3B43B903
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:32 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18E28
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1CF37
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1CF37
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1CF37
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197F7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197F7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197F7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18CE5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18E28
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18E28
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18DD3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18DD3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18DD3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18D8E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18D8E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18D8E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18CE5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4123759058-1188239460-2617266592-2754436606
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18CE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F5CB91D2-1864-46D3-A051-009CFE5D2DA4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:32:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09FAD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:31:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0E177
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0E177
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0E177
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0A9FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0A9FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA0A9FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09E6A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09FAD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09FAD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F58
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F58
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F58
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F13
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F13
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09F13
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09E6A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-867723259-1104644908-997453199-1534345772
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA09E6A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 33B867FB-8B2C-41D7-8FED-733B2C42745B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:31:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDCBA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F5750
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F97DC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F97DC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F97DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F6139
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F6139
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F6139
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F560E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F5750
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F5750
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56B2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56B2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F56B2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F560E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2310486207-1081859346-3195777414-3653022058
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F560E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 89B738BF-DD12-407B-86B1-7BBE6AB1BCD9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:30:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F1E78
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F1E78
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F1E78
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:54 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE689
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE689
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE689
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDB77
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDCBA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDCBA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC65
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC65
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC65
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC20
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC20
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDC20
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDB77
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3439961832-1158965583-2434251693-2417183536
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDB77
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: CD09A6E8-694F-4514-ADBB-1791304B1390
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D55
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:29:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DCE42
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DCE42
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DCE42
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9734
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9734
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9734
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8C12
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D55
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D55
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D00
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D00
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8D00
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8CBB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8CBB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8CBB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8C12
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2600296586-1125540178-2331662734-996605590
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D8C12
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9AFD608A-6152-4316-8E59-FA8A96FE663B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA16D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:26:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CE1F5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CE1F5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CE1F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CAB3C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CAB3C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CAB3C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA02B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA16D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA16D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA118
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA118
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA118
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA0D3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA0D3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA0D3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA02B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2890724390-1259919423-355156891-340346960
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9CA02B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AC4CF426-D83F-4B18-9B43-2B1550484914
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BD052
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1193
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1193
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1193
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDA89
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDA89
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BDA89
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCF10
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BD052
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BD052
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFFD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFFD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFFD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFB8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFB8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCFB8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCF10
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-913491803-1207907178-3390159292-3886529139
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9BCF10
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 3672C75B-336A-47FF-BCB9-11CA73BAA7E7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:20 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B1670
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:13 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B5865
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B5865
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B5865
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B20AC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B20AC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B20AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B152D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B1670
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B1670
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B161B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B161B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B161B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B15D6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B15D6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B15D6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B152D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-25314340-1263043223-1332047551-4284824921
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B152D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 01824424-8297-4B48-BF6E-654F593D65FF
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:25:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A4C4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99579A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928AEE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ED23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x999C9C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x999C9C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x999C9C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x996249
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x996249
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x996249
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995658
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99579A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99579A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995745
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995745
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995745
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995700
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995700
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995700
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995658
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4134443000-1183840153-1878291105-3429893105
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x995658
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F66E97F8-F799-468F-A172-F46FF10370CC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:24:00 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98E88B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98E88B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98E88B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98AF7B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98AF7B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98AF7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A388
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A4C4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A4C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A46F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A46F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A46F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A42A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A42A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A42A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A388
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1186823141-1286830190-4178651265-2613209682
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98A388
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 46BD7BE5-786E-4CB3-8128-11F9526AC29B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:23:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C233
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x982445
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x982445
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x982445
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97BD25
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97BD25
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x97BD25
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:35 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EBD5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ED23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ED23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ECCE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ECCE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96ECCE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EC88
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EC88
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EC88
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EBD5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2749940117-1156580078-3340474282-3825372081
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96EBD5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A3E8C195-02EE-44F0-AA97-1BC7B18B02E4
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:34 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x954984
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9630AD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9630AD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9630AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:22:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95CC6A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95CC6A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95CC6A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C0F0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C233
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C233
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C1DE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C1DE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C1DE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C199
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C199
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C199
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C0F0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1151369406-1258422217-61987230-1122925006
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95C0F0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 44A080BE-FFC9-4B01-9ED9-B103CE79EE42
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95998B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95998B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95998B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:22:02 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x955437
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x955437
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x955437
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95483C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x954984
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x954984
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95492F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95492F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95492F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9548EA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9548EA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9548EA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95483C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1642823377-1328234225-340308927-2805250715
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95483C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 61EB7ED1-3EF1-4F2B-BFB3-48149BBA34A7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:55 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D29A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908406
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92970E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:21:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93FF57
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93FF57
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93FF57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:48 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93DE13
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93DE13
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93DE13
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D15F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D29A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D29A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D245
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D245
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D245
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D200
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D200
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D200
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D15F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3552049891-1237537449-2952732044-1018611135
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93D15F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D3B7FAE3-52A9-49C3-8C1D-FFAFBFC5B63C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A979
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x936501
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x936501
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x936501
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:39 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x931E7B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x931E7B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x931E7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:37 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92C43A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92C43A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92C43A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92A1DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92A1DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92A1DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:27 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9295CC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92970E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x92970E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9296B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9296B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9296B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x929674
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x929674
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x929674
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9295CC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1535151426-1112643165-695710369-3954588616
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9295CC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 5B808D42-965D-4251-A1B2-7729C83BB6EB
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928998
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928AEE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928AEE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A99
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A99
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A99
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A53
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A53
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928A53
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928998
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2248620596-1100152162-1869944249-1310852261
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x928998
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 86073A34-FD62-4192-B915-756FA504224E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:23 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D97
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91EFA6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91EFA6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91EFA6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:20:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91B4AA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91B4AA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91B4AA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A837
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A979
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A979
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A91D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A91D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A91D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A8D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A8D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A8D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A837
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2928189392-1304956745-533299854-1758567461
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91A837
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: AE889FD0-0F49-4DC8-8E82-C91F259CD168
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9146F6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9146F6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9146F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C81
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908E46
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:22 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908E46
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908E46
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:22 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9082C3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908406
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x908406
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9083B1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9083B1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9083B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90836C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90836C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90836C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9082C3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-804332907-1233917893-343169981-2115953239
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9082C3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 2FF1256B-17C5-498C-BD5B-741457E21E7E
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:19:21 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FA9C5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FA9C5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8FA9C5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:58 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4AE5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:53 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4AE5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F4AE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:53 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:47 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5C41
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D97
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D97
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D42
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D42
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5D42
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5CFC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5CFC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5CFC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5C41
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2252048059-1117091288-2194234240-789789918
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5C41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 863B86BB-75D8-4295-805B-C982DE3C132F
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:17:46 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D92DD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D92DD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D92DD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D565C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D565C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D565C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4B3A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C81
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C81
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C2C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C2C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4C2C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4BE7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4BE7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4BE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4B3A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1628146990-1110091521-3676525755-2726761528
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D4B3A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 610B8D2E-A701-422A-BB54-23DB381487A2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:16:42 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F86
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:15:34 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABFD7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 2396 | hv-neutron-8080 | | 9/9/2021 4:15:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD8F1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD8F1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BD8F1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9B6B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9B6B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B9B6B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B296B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B296B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B296B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1E44
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F86
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F86
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F31
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F31
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1F31
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1EEC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1EEC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1EEC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1E44
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3602022571-1249788950-1867976626-844197708
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B1E44
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D6B280AB-4416-4A7E-B20F-576F4C6F5132
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AECF1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AECF1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AECF1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A9878
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABFD7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABFD7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABAB6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABAB6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ABAB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AB9BC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AB9BC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8AB9BC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A9878
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3886226422-1226721006-2502012545-3738645656
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A9878
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E7A31BF6-46EE-491E-81AE-21959834D7DE
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 3768 | hv-neutron-8080 | | 9/9/2021 4:14:41 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x1120
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:12:52 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xbd0
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:12:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:00:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 4:00:26 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:46:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:46:28 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0x2e0
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:46:19 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0x398
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:46:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0x1260
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:46:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:44:30 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:44:30 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x101731
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:18 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:18 PM | 0cee27d5-a591-0003-a82a-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0xF5255
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0xF5255
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:12 PM | 0cee27d5-a591-0002-6e2a-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0xEFA63
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0xEFA63
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:10 PM | 0cee27d5-a591-0002-4a2a-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7e3f35e7-36b9-41ba-b619-75b51655a779
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Create Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7e3f35e7-36b9-41ba-b619-75b51655a779
Operation: Write persisted key to file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016 | 5061 | 0 | | 0 | 12290 | 0 | -9218868437227405312 | 14199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Delete key file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:43:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:36 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/9/2021 3:42:36 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:36 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0x490
Process Name: C:\Windows\System32\net1.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:36 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9c0
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:25 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:42:07 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x92735
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:42:05 PM | 0cee27d5-a591-0000-0d29-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x598
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?09?-?09T15:42:05.672673900Z
New Time: ?2021?-?09?-?09T15:42:05.671000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 3868 | hv-neutron-8080 | | 9/9/2021 3:42:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x90B43
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x90B43
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x90B43
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0001-5828-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 8fb44e5c-c67f-4af0-aa8b-8889133f5a44
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 8fb44e5c-c67f-4af0-aa8b-8889133f5a44
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5c8cca284f013cc052c5afc786aa1c32_7e3f35e7-36b9-41ba-b619-75b51655a779
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:41:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/9/2021 3:41:49 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:45 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Member:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was logged off.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x7AAE3
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x230
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:44 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon ID: 0x7AAE3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xbdc
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:43 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:43 PM | 0cee27d5-a591-0003-7328-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/9/2021 3:41:40 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x210
User Account Control:
Account Enabled
'Password Not Required' - Disabled
'Don't Expire Password' - Enabled
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was enabled.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080 | 4722 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was created.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
New Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: Admin
Account Domain: HV-NEUTRON-8080
Attributes:
SAM Account Name: Admin
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges - | 4720 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Member:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1001
Account Name: -
Group:
Security ID: S-1-5-21-917972033-3866173643-4074574250-513
Group Name: None
Group Domain: HV-NEUTRON-8080
Additional Information:
Privileges: - | 4728 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:40 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x52A64
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xc34
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0001-2d28-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/9/2021 3:41:16 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xc34
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xc34
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xC0000224
Sub Status: 0x0
Process Information:
Caller Process ID: 0x230
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4625 | 0 | | 0 | 12544 | 0 | -9218868437227405312 | 14149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:16 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Process Information:
Process ID: 0xc38
Process Name: C:\Windows\System32\LogonUI.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:15 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9c4
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:12 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x230
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:11 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:10 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_7e3f35e7-36b9-41ba-b619-75b51655a779
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_7e3f35e7-36b9-41ba-b619-75b51655a779
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon ID: 0x2E70B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: HV-NEUTRON-8080
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: HV-NEUTRON-8080
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-NEUTRON-8080
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:09 PM | 0cee27d5-a591-0004-0d28-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:08 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x230
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:07 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key migration operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:06 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x202EC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:41:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x230
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x230
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x534
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7fc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 864 | hv-neutron-8080 | | 9/9/2021 3:41:04 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x590
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?09?-?09T15:41:03.420842000Z
New Time: ?2021?-?09?-?09T15:41:03.980000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x5dc
Process Information:
Process ID: 0x508
Process Name: C:\Windows\System32\oobe\msoobe.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:03 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-917972033-3866173643-4074574250-513
Group Name: None
Group Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: None
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-513
Account Domain: HV-NEUTRON-8080
Old Account Name: None
New Account Name: None
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-917972033-3866173643-4074574250-513
Group Name: None
Group Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-503
Account Name: DefaultAccount
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-503
Account Name: DefaultAccount
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-501
Account Name: Guest
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-501
Account Name: Guest
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-500
Account Name: Administrator
Account Domain: HV-NEUTRON-8080
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: System Managed Accounts Group
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-581
Account Domain: Builtin
Old Account Name: System Managed Accounts Group
New Account Name: System Managed Accounts Group
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Storage Replica Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-582
Account Domain: Builtin
Old Account Name: Storage Replica Administrators
New Account Name: Storage Replica Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Management Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-580
Account Domain: Builtin
Old Account Name: Remote Management Users
New Account Name: Remote Management Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Access Control Assistance Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-579
Account Domain: Builtin
Old Account Name: Access Control Assistance Operators
New Account Name: Access Control Assistance Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Hyper-V Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-578
Account Domain: Builtin
Old Account Name: Hyper-V Administrators
New Account Name: Hyper-V Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Management Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-577
Account Domain: Builtin
Old Account Name: RDS Management Servers
New Account Name: RDS Management Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Endpoint Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-576
Account Domain: Builtin
Old Account Name: RDS Endpoint Servers
New Account Name: RDS Endpoint Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Remote Access Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-575
Account Domain: Builtin
Old Account Name: RDS Remote Access Servers
New Account Name: RDS Remote Access Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Certificate Service DCOM Access
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-574
Account Domain: Builtin
Old Account Name: Certificate Service DCOM Access
New Account Name: Certificate Service DCOM Access
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Event Log Readers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-573
Account Domain: Builtin
Old Account Name: Event Log Readers
New Account Name: Event Log Readers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Cryptographic Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-569
Account Domain: Builtin
Old Account Name: Cryptographic Operators
New Account Name: Cryptographic Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: IIS_IUSRS
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-568
Account Domain: Builtin
Old Account Name: IIS_IUSRS
New Account Name: IIS_IUSRS
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Distributed COM Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-562
Account Domain: Builtin
Old Account Name: Distributed COM Users
New Account Name: Distributed COM Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Log Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-559
Account Domain: Builtin
Old Account Name: Performance Log Users
New Account Name: Performance Log Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Monitor Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-558
Account Domain: Builtin
Old Account Name: Performance Monitor Users
New Account Name: Performance Monitor Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Power Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-547
Account Domain: Builtin
Old Account Name: Power Users
New Account Name: Power Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Network Configuration Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-556
Account Domain: Builtin
Old Account Name: Network Configuration Operators
New Account Name: Network Configuration Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Desktop Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-555
Account Domain: Builtin
Old Account Name: Remote Desktop Users
New Account Name: Remote Desktop Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Replicator
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-552
Account Domain: Builtin
Old Account Name: Replicator
New Account Name: Replicator
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Backup Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-551
Account Domain: Builtin
Old Account Name: Backup Operators
New Account Name: Backup Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Guests
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-546
Account Domain: Builtin
Old Account Name: Guests
New Account Name: Guests
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-545
Account Domain: Builtin
Old Account Name: Users
New Account Name: Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-544
Account Domain: Builtin
Old Account Name: Administrators
New Account Name: Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Print Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-550
Account Domain: Builtin
Old Account Name: Print Operators
New Account Name: Print Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 908 | hv-neutron-8080 | | 9/9/2021 3:41:01 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:51 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB58B
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB579
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB58B
Linked Logon ID: 0xB579
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB579
Linked Logon ID: 0xB58B
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:50 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 904 | hv-neutron-8080 | | 9/9/2021 3:40:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:40:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-NEUTRON-8080$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x320
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 852 | hv-neutron-8080 | | 9/9/2021 3:40:49 PM | 0cee27d5-a591-0000-dc27-ee0c91a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x61CA | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 868 | hv-neutron-8080 | | 9/9/2021 3:40:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | hv-neutron-8080 | | 9/9/2021 3:40:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 816 | 820 | hv-neutron-8080 | | 9/9/2021 3:40:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x330
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x320
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b0
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b0
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x298
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x290
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 512 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x250
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x248
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x218
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1d4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x188
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-neutron-8080 | | 9/9/2021 3:40:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5ec
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?09?-?09T15:40:36.400214100Z
New Time: ?2021?-?09?-?09T15:40:36.380000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 9/9/2021 3:40:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13967 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1308 | 1896 | WIN-5T344G8GM1H | | 9/9/2021 3:40:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:32 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:32 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:13 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/9/2021 3:40:13 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:13 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x468
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:13 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-917972033-3866173643-4074574250-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x468
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:40:13 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x2c4
Process Information:
Process ID: 0x4a8
Process Name: C:\Windows\System32\oobe\Setup.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 9/9/2021 3:39:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:40 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:40 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:37 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x62C41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 9/9/2021 3:39:36 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 592 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x51c
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?09?-?09T15:39:35.146963500Z
New Time: ?2021?-?09?-?09T15:39:35.252000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:35 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:27 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:27 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57545
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57517
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57545
Linked Logon ID: 0x57517
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57517
Linked Logon ID: 0x57545
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2e0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 9/9/2021 3:39:26 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:25 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 9/9/2021 3:39:25 PM | d179590e-a590-0005-1259-79d190a5d701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x500E2 | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 872 | WIN-5T344G8GM1H | | 9/9/2021 3:39:25 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x338
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x328
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2e0
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x298
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b8
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x254
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 9/9/2021 3:39:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a0
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x298
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 9/9/2021 3:39:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x298
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | WIN-5T344G8GM1H | | 9/9/2021 3:39:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x260
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x254
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 9/9/2021 3:39:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x254
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 9/9/2021 3:39:23 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x238
New Process Name: C:\Windows\System32\setupcl.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 9/9/2021 3:39:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x208
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 228 | WIN-5T344G8GM1H | | 9/9/2021 3:39:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 9/9/2021 3:39:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e0
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 9/9/2021 3:39:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 9/9/2021 3:39:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x4dc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z
New Time: ?2018?-?01?-?19T09:48:13.152000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 1980 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13901 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1144 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
User initiated logoff:
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. | 4647 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 13900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:48:12 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 1/19/2018 9:47:34 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age: ??
Max. Password Age:
Force Logoff: ??
Lockout Threshold:
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: 0
Machine Account Quota: 0
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
User:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xfac
Process Name: C:\Windows\System32\Sysprep\sysprep.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
The audit log was cleared.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Domain Name: WIN-5T344G8GM1H
Logon ID: 0x1F0E3 | 1102 | 0 | | 4 | 104 | 0 | 4620693217682128896 | 13887 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1136 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Log clear | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |