EventLogEntry#Security/Microsoft-Windows-Security-
Auditing/4634
"EventID","MachineName","Data","Index","Category","CategoryNumber","EntryType","Mes
sage","Source","ReplacementStrings","InstanceId","TimeGenerated","TimeWritten","Use
rName","Site","Container"
"4634","WIN-
NCCK04JRFCT","System.Byte[]","1649","(12545)","12545","SuccessAudit","An account
was logged off.
Subject:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Logon ID: 0x1b7063b
Logon Type: 2
Subject:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Logon ID: 0x1b70659
Logon Type: 2
Subject:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Logon ID: 0x1b7063b
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege","Microsoft-Windows-
Security-Auditing","System.String[]","4672","13-11-2018 08:51:35","13-11-2018
08:51:35",,,
"4624","WIN-
NCCK04JRFCT","System.Byte[]","1646","(12544)","12544","SuccessAudit","An account
was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1843
New Logon:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Logon ID: 0x1b70659
Linked Logon ID: 0x1b7063b
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xb38
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: WIN-NCCK04JRFCT
Source Network Address: 127.0.0.1
Source Port: 0
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
New Logon:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Logon ID: 0x1b7063b
Linked Logon ID: 0x1b70659
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xb38
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: WIN-NCCK04JRFCT
Source Network Address: 127.0.0.1
Source Port: 0
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xb38
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: 127.0.0.1
Port: 0
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
User:
Security ID: S-1-5-21-2678899424-571758068-3761787629-1001
Account Name: TEST
Account Domain: DESKTOP-34J1GT5
Process Information:
Process ID: 0x700
Process Name: C:\Windows\System32\LogonUI.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4798","13-11-2018 08:51:06","13-11-2018
08:51:06",,,
"4672","WIN-
NCCK04JRFCT","System.Byte[]","1642","(12548)","12548","SuccessAudit","Special
privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege","Microsoft-Windows-
Security-Auditing","System.String[]","4672","13-11-2018 08:46:56","13-11-2018
08:46:56",,,
"4624","WIN-
NCCK04JRFCT","System.Byte[]","1641","(12544)","12544","SuccessAudit","An account
was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x28c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege","Microsoft-Windows-
Security-Auditing","System.String[]","4672","13-11-2018 07:41:40","13-11-2018
07:41:40",,,
"4624","WIN-
NCCK04JRFCT","System.Byte[]","1639","(12544)","12544","SuccessAudit","An account
was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x28c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege","Microsoft-Windows-
Security-Auditing","System.String[]","4672","13-11-2018 07:10:59","13-11-2018
07:10:59",,,
"4624","WIN-
NCCK04JRFCT","System.Byte[]","1637","(12544)","12544","SuccessAudit","An account
was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x28c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege","Microsoft-Windows-
Security-Auditing","System.String[]","4672","13-11-2018 07:09:57","13-11-2018
07:09:57",,,
"4624","WIN-
NCCK04JRFCT","System.Byte[]","1635","(12544)","12544","SuccessAudit","An account
was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: %%1843
Elevated Token: %%1842
Impersonation Level: %%1833
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x28c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
The subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common
types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e.
the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation
name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon
session can impersonate.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x14e0
Process Name: C:\Windows\System32\VSSVC.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4799","13-11-2018 07:09:56","13-11-2018
07:09:56",,,
"4799","WIN-NCCK04JRFCT","System.Byte[]","1633","(13826)","13826","SuccessAudit","A
security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x14e0
Process Name: C:\Windows\System32\VSSVC.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4799","13-11-2018 07:09:56","13-11-2018
07:09:56",,,
"4799","WIN-NCCK04JRFCT","System.Byte[]","1632","(13826)","13826","SuccessAudit","A
security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x14e0
Process Name: C:\Windows\System32\VSSVC.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4799","13-11-2018 07:09:56","13-11-2018
07:09:56",,,
"4799","WIN-NCCK04JRFCT","System.Byte[]","1631","(13826)","13826","SuccessAudit","A
security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x14e0
Process Name: C:\Windows\System32\VSSVC.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4799","13-11-2018 07:09:56","13-11-2018
07:09:56",,,
"4799","WIN-NCCK04JRFCT","System.Byte[]","1630","(13826)","13826","SuccessAudit","A
security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-NCCK04JRFCT$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x14e0
Process Name: C:\Windows\System32\VSSVC.exe","Microsoft-Windows-
Security-Auditing","System.String[]","4799","13-11-2018 07:09:56","13-11-2018
07:09:56",,,