| Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
|---|
| Registry file C:\Users\administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-1012637945-3600504182-1845143632-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 86 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3016 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:35:21 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 85 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3016 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:35:19 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\administrator\ntuser.dat is loaded at HKU\S-1-5-21-1012637945-3600504182-1845143632-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 84 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3016 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:35:19 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 83 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 1488 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:35:11 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 82 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 1488 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:35:01 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 81 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 1488 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:34 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 80 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 1488 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:33 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Admin\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1001_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 79 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3120 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:31 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Admin
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 78 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3120 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:30 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Admin\ntuser.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1001. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 77 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 3120 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:30 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\cloudbase-init\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1000_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 76 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 2392 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:30 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\cloudbase-init
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 75 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 2392 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:30 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\cloudbase-init\ntuser.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1000. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 74 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1460 | 2392 | n-h1-761264-4.cbci-761264-4.local | S-1-5-18 | 11/4/2020 8:34:30 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Admin\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1001_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 73 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 2220 | n-h1-761264-4 | S-1-5-21-2029236134-125245321-1557053219-1000 | 11/4/2020 7:53:38 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Admin
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 72 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 2220 | n-h1-761264-4 | S-1-5-21-2029236134-125245321-1557053219-1000 | 11/4/2020 7:53:37 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Admin\ntuser.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1001. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 71 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 2220 | n-h1-761264-4 | S-1-5-21-2029236134-125245321-1557053219-1000 | 11/4/2020 7:53:37 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 70 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 1692 | n-h1-761264-4 | S-1-5-18 | 11/4/2020 7:53:06 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\cloudbase-init\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1000_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 69 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 796 | n-h1-761264-4 | S-1-5-18 | 11/4/2020 7:53:02 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\cloudbase-init
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 68 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 796 | n-h1-761264-4 | S-1-5-18 | 11/4/2020 7:53:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\cloudbase-init\ntuser.dat is loaded at HKU\S-1-5-21-2029236134-125245321-1557053219-1000. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 67 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 612 | 796 | n-h1-761264-4 | S-1-5-18 | 11/4/2020 7:53:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 66 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 672 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:48:12 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 65 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 672 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:48:12 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 64 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 2072 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:41:32 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 63 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 1228 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:41:32 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 62 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 2556 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:41:32 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 61 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 2556 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:41:32 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 60 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 2556 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:41:32 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 59 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 976 | 2072 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:41:31 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 58 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1504 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:40:27 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 57 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1504 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:40:27 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 56 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2624 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 55 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 436 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 54 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 436 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 53 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 436 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 52 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2624 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 51 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1256 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:27:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Disable background user hive upload task succeeded. | 59 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 50 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1256 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:27:17 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 49 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1996 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:26:19 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 48 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 1996 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:26:18 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 47 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2780 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:23:04 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 46 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2768 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:23:04 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 45 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2768 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:23:04 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 44 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2768 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 9:23:04 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 43 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 956 | 2780 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:23:04 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 42 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 2444 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:22:48 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 41 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 2444 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 9:22:48 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 40 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 2504 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:54:50 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 39 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 1420 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:54:49 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 38 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 1420 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:54:49 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 37 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 1420 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:54:49 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 36 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1180 | 2504 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:54:49 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 35 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2632 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:54:39 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 34 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2632 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:54:39 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 33 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2632 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:50:55 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 32 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2028 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:50:55 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 31 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2028 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:50:55 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 30 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2028 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:50:55 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 29 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1192 | 2632 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:50:55 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 28 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 1824 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:45:57 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 27 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 1824 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:45:56 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 26 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 2404 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:24:01 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 25 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 2612 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:24:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 24 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 2612 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:24:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 23 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 2612 | WIN-5T344G8GM1H | S-1-5-18 | 1/19/2018 8:24:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 22 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 964 | 2404 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/19/2018 8:24:00 AM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 21 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 3168 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:44:38 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 20 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 3168 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:44:38 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 19 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 2580 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:07:02 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 18 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 2640 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 6:07:02 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 17 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 2640 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 6:07:02 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 16 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 2640 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 6:07:02 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 15 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1176 | 2580 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:07:02 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 14 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 5108 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:02:38 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 13 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 5108 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 6:02:38 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 12 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 2600 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:43:06 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 11 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 1364 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:43:06 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 10 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 1364 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:43:06 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 9 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 1364 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:43:06 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 8 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 1152 | 2600 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:43:06 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logoff notification on session 1. | 4 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 7 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 1564 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:35:50 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logoff notification on session 1. | 3 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 6 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 1564 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:35:49 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Finished processing user logon notification on session 1. | 2 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 5 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 1948 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:02:11 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500_Classes. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 4 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 2872 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:02:11 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Logon type: Regular
Local profile location: C:\Users\Administrator
Profile type: Regular | 67 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 3 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 2872 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:02:10 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Registry file C:\Users\Administrator\ntuser.dat is loaded at HKU\S-1-5-21-416071247-492812682-1642729393-500. | 5 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 2 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 2872 | WIN-5T344G8GM1H | S-1-5-18 | 1/16/2018 5:02:10 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Recieved user logon notification on session 1. | 1 | 0 | | 4 | 0 | 0 | 4611686018427387904 | 1 | Microsoft-Windows-User Profiles Service | 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845 | Microsoft-Windows-User Profile Service/Operational | 924 | 1948 | WIN-5T344G8GM1H | S-1-5-21-416071247-492812682-1642729393-500 | 1/16/2018 5:02:10 PM | | | microsoft-windows-user profile service/operational | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |