| date | time | type | info | text |
|---|
| 26.03.2017 | 23.00.01 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1843
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x524f1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: HAUGE7-PC
Source Network Address: 10.0.2.2
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 26.03.2017 | 23.00.01 | Event | Security | An account was logged off.
Subject:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x524f1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
| 26.03.2017 | 23.00.02 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1843
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x525bd
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: HAUGE7-PC
Source Network Address: 10.0.2.2
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 26.03.2017 | 23.00.02 | Process | Started | |
| 26.03.2017 | 23.00.03 | Process | Started | C:\Windows\system32\winlogon.exe |
| 26.03.2017 | 23.00.05 | Event | Security | Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-2
Account Name: DWM-2
Account Domain: Window Manager
Logon ID: 0x53803
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege |
| 26.03.2017 | 23.00.05 | Event | Security | Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-2
Account Name: DWM-2
Account Domain: Window Manager
Logon ID: 0x53890
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege |
| 26.03.2017 | 23.00.05 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1842
Elevated Token: %%1843
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-90-0-2
Account Name: DWM-2
Account Domain: Window Manager
Logon ID: 0x53890
Linked Logon ID: 0x53803
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xe28
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 26.03.2017 | 23.00.05 | Event | Security | A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-2
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xe28
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. |
| 26.03.2017 | 23.00.05 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1842
Elevated Token: %%1842
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-90-0-2
Account Name: DWM-2
Account Domain: Window Manager
Logon ID: 0x53803
Linked Logon ID: 0x53890
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xe28
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 26.03.2017 | 23.00.05 | Process | Started | C:\Windows\system32\dwm.exe |
| 26.03.2017 | 23.00.06 | Event | Application | The Desktop Window Manager has registered the session port. |
| 26.03.2017 | 23.00.09 | Event | System | User Logon Notification for Customer Experience Improvement Program |
| 26.03.2017 | 23.00.09 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 10
Restricted Admin Mode: %%1843
Virtual Account: %%1843
Elevated Token: %%1843
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x57901
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: DESKTOP-KV0DOUH
Source Network Address: 10.0.2.2
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 26.03.2017 | 23.00.09 | Event | Security | A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: 10.0.2.2
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. |
| 26.03.2017 | 23.00.12 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe |
| 26.03.2017 | 23.00.12 | Process | Started | C:\Windows\System32\rdpclip.exe |
| 26.03.2017 | 23.00.12 | Process | Started | C:\Windows\system32\svchost.exe |
| 26.03.2017 | 23.00.12 | Process | Started | C:\Windows\system32\sihost.exe |
| 26.03.2017 | 23.00.12 | Process | Started | C:\Windows\system32\taskhostw.exe |
| 26.03.2017 | 23.00.13 | Event | System | The description for Event ID '10016' in Source 'DCOM' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'application-specific', 'Local', 'Activation', '{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}', '{F72671A9-012C-4725-9D2F-2A4D32D65169}', 'NT AUTHORITY', 'SYSTEM', 'S-1-5-18', 'LocalHost (Using LRPC)', 'Unavailable', 'Unavailable' |
| 26.03.2017 | 23.00.13 | Process | Started | C:\Windows\System32\RuntimeBroker.exe |
| 26.03.2017 | 23.00.13 | Process | Started | C:\Windows\Explorer.EXE |
| 26.03.2017 | 23.00.14 | Process | Started | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: bjarne
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: DefaultAccount
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Administrator
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: klara
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: defaultuser0
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Guest
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: DefaultAccount
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: defaultuser0
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Administrator
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: bjarne
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: klara
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: os
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Guest
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Administrator
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: bjarne
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: DefaultAccount
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: DefaultAccount
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: defaultuser0
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: klara
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: os
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: defaultuser0
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Guest
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: bjarne
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: DefaultAccount
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: defaultuser0
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: os
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Administrator
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Administrator
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: Guest
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: os
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: bjarne
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: klara
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.22 | Event | Security | An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Additional Information:
Caller Workstation: DESKTOP-KV0DOUH
Target Account Name: haugerud
Target Account Domain: DESKTOP-KV0DOUH |
| 26.03.2017 | 23.00.31 | Process | Started | C:\Program Files\Windows Defender\MSASCuiL.exe |
| 26.03.2017 | 23.00.32 | Process | Started | C:\Users\haugerud\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
| 26.03.2017 | 23.01.14 | Process | Started | C:\Windows\system32\DllHost.exe |
| 26.03.2017 | 23.01.16 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe |
| 26.03.2017 | 23.01.16 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe |
| 26.03.2017 | 23.01.18 | Process | Started | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| 26.03.2017 | 23.01.26 | Process | Started | C:\Windows\system32\conhost.exe |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=13
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.14393.953
RunspaceId=6183cbc0-4ffd-4234-ae8f-cabf7b6cbcf9
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "Function" is Started.
Details:
ProviderName=Function
NewProviderState=Started
SequenceNumber=9
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "Registry" is Started.
Details:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=1
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "Variable" is Started.
Details:
ProviderName=Variable
NewProviderState=Started
SequenceNumber=11
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "Environment" is Started.
Details:
ProviderName=Environment
NewProviderState=Started
SequenceNumber=5
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "Alias" is Started.
Details:
ProviderName=Alias
NewProviderState=Started
SequenceNumber=3
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.01.27 | Event | Windows PowerShell | Provider "FileSystem" is Started.
Details:
ProviderName=FileSystem
NewProviderState=Started
SequenceNumber=7
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=7cecefce-006a-4156-bf54-5799fba5f17c
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 26.03.2017 | 23.02.15 | Process | Started | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe |
| 26.03.2017 | 23.02.23 | Process | Started | C:\Windows\System32\InstallAgent.exe |
| 26.03.2017 | 23.02.23 | Process | Started | C:\Windows\System32\InstallAgentUserBroker.exe |
| 26.03.2017 | 23.02.39 | File/Dir | Created | C:\Users\haugerud\Documents\4 |
| 26.03.2017 | 23.02.40 | Event | System | Windows Update started downloading an update. |
| 26.03.2017 | 23.02.52 | File/Dir | Created | C:\Users\haugerud\Documents\4\param.ps1 |
| 26.03.2017 | 23.02.55 | Event | Application | Fault bucket , type 0
Event Name: StoreAgentDownloadFailure1
Response: Not available
Cab Id: 0
Problem signature:
P1: Update;taskhostw
P2: 80070020
P3: 14393
P4: 953
P5: Windows.Desktop
P6: 9
P7:
P8:
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Update;taskhostw_88588915b0dcf328cb176429bd732564b965684_00000000_12e47681
Analysis symbol:
Rechecking for solution: 0
Report Id: 940c6523-1267-11e7-a050-0800278667e5
Report Status: 4
Hashed bucket: |
| 26.03.2017 | 23.03.03 | Event | Application | Fault bucket 127819474838, type 5
Event Name: StoreAgentDownloadFailure1
Response: Not available
Cab Id: 0
Problem signature:
P1: Update;taskhostw
P2: 80070020
P3: 14393
P4: 953
P5: Windows.Desktop
P6: 9
P7:
P8:
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;taskhostw_88588915b0dcf328cb176429bd732564b965684_00000000_0f5496e9
Analysis symbol:
Rechecking for solution: 0
Report Id: 940c6523-1267-11e7-a050-0800278667e5
Report Status: 0
Hashed bucket: 174bf8755169f75079045ae98076d0e5 |
| 26.03.2017 | 23.03.17 | File/Dir | Created | C:\Users\haugerud\Documents\4\ev.ps1 |
| 26.03.2017 | 23.03.42 | File/Dir | Created | C:\Users\haugerud\Documents\4\fileEvents.ps1 |
| 26.03.2017 | 23.03.51 | Process | Started | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe |
| 26.03.2017 | 23.03.52 | File/Dir | Created | C:\Users\haugerud\Documents\4\readDate.ps1 |
| 26.03.2017 | 23.04.04 | Event | System | The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'150', '\??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.8021.42017.0_x64__8wekyb3d8bbwe\ActivationStore.dat', '0', '0' |
| 26.03.2017 | 23.04.07 | Event | System | The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'116', '\??\C:\Users\haugerud\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat', '37', '2' |
| 26.03.2017 | 23.04.11 | Event | System | Installation Started: Windows has started installing the following update: Mail and Calendar |
| 26.03.2017 | 23.04.11 | File/Dir | Created | C:\Users\haugerud\Documents\4\ie.ps1 |
| 26.03.2017 | 23.04.16 | Event | System | Installation Successful: Windows successfully installed the following update: Mail and Calendar |
| 26.03.2017 | 23.04.20 | Process | Started | C:\Program Files\Windows Defender\MpCmdRun.exe |
| 26.03.2017 | 23.05.28 | File/Dir | Created | C:\Users\haugerud\Documents\4\getCom.ps1 |
| 26.03.2017 | 23.06.22 | Process | Started | C:\Program Files (x86)\Microsoft VS Code\Code.exe |
| 26.03.2017 | 23.07.38 | Process | Started | C:\Program Files (x86)\Microsoft VS Code\Code.exe |
| 26.03.2017 | 23.07.44 | Process | Started | C:\Program Files (x86)\Microsoft VS Code\Code.exe |
| 26.03.2017 | 23.07.53 | Process | Started | C:\Program Files (x86)\Microsoft VS Code\Code.exe |
| 26.03.2017 | 23.07.54 | Process | Started | C:\Program Files (x86)\Microsoft VS Code\Code.exe |
| 26.03.2017 | 23.15.14 | Event | System | Geolocation positioning has been disabled by the user. |
| 26.03.2017 | 23.59.58 | Event | System | The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'103', '\??\C:\Users\haugerud\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat', '13', '1' |
| 27.03.2017 | 00.00.53 | Event | Security | A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x57901
User:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Process Information:
Process ID: 0x132c
Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| 27.03.2017 | 00.31.25 | Event | Security | A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x57901
User:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1003
Account Name: haugerud
Account Domain: DESKTOP-KV0DOUH
Process Information:
Process ID: 0xee0
Process Name: C:\Program Files\Git\usr\bin\scp.exe |
| 27.03.2017 | 00.31.29 | File/Dir | Created | C:\Users\haugerud\Documents\photo.ps1 |
| 27.03.2017 | 00.33.36 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x954
Process Name: C:\Windows\System32\consent.exe |
| 27.03.2017 | 00.33.36 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x954
Process Name: C:\Windows\System32\consent.exe |
| 27.03.2017 | 00.33.42 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1843
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1005
Account Name: bjarne
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x188a10
Linked Logon ID: 0x1889f0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x954
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: DESKTOP-KV0DOUH
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 27.03.2017 | 00.33.42 | Event | Security | Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1005
Account Name: bjarne
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x1889f0
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege |
| 27.03.2017 | 00.33.42 | Event | Security | An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1005
Account Name: bjarne
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x1889f0
Linked Logon ID: 0x188a10
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x954
Process Name: C:\Windows\System32\consent.exe
Network Information:
Workstation Name: DESKTOP-KV0DOUH
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: CredPro
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
| 27.03.2017 | 00.33.42 | Event | Security | An account was logged off.
Subject:
Security ID: S-1-5-21-861375751-3771627180-3643734012-1005
Account Name: bjarne
Account Domain: DESKTOP-KV0DOUH
Logon ID: 0x188a10
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
| 27.03.2017 | 00.33.42 | Event | Security | A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: bjarne
Account Domain: DESKTOP-KV0DOUH
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x954
Process Name: C:\Windows\System32\consent.exe
Network Information:
Network Address: ::1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. |
| 27.03.2017 | 00.33.44 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe |
| 27.03.2017 | 00.33.44 | Event | Security | A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-KV0DOUH$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x334
Process Name: C:\Windows\System32\svchost.exe |
| 27.03.2017 | 00.33.44 | Process | Started | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| 27.03.2017 | 00.33.44 | Process | Started | C:\Windows\system32\conhost.exe |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "Alias" is Started.
Details:
ProviderName=Alias
NewProviderState=Started
SequenceNumber=3
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "Registry" is Started.
Details:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=1
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "Function" is Started.
Details:
ProviderName=Function
NewProviderState=Started
SequenceNumber=9
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "FileSystem" is Started.
Details:
ProviderName=FileSystem
NewProviderState=Started
SequenceNumber=7
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "Environment" is Started.
Details:
ProviderName=Environment
NewProviderState=Started
SequenceNumber=5
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Provider "Variable" is Started.
Details:
ProviderName=Variable
NewProviderState=Started
SequenceNumber=11
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |
| 27.03.2017 | 00.33.45 | Event | Windows PowerShell | Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=13
HostName=ConsoleHost
HostVersion=5.1.14393.953
HostId=096d9e99-32a3-4e97-a31e-4947d3bdc6ea
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.14393.953
RunspaceId=c09153e3-7e3f-495e-affd-485ce9d8c9d5
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine= |