none
Explanation for multiple 4624 events per login event? I get 2 per login with different Logon ID values. RRS feed

  • Question

  • Hi, it seems like this is a vexing problem for lots of people (including me).  I'm trying to track administrative logins with my siem, and found this today:  In my testing environment (Brand new DC, and Win 7 client, each login success has (2) 4624 events, with different logon ID values.  For the user, one has a GUID of all zeros, and the other is populated.  The Logon ID and Guid values in question are in Bold Italics below.

    I'll post the log lines below. Does anyone have an idea as to why this happens?  I'll paste the log lines below.  Thanks in advance to anyone who can shed some light on this. 

    ***********First event:********************

    2017 Apr 05 17:21:50 WinEvtLog: Security:
    AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: kevinadmin: TESTDOMAIN: Win7-1.testdomain.local: An account was successfully logged
    on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN7-1$  Account Domain:  TESTDOMAIN  Logon ID:  0x3e7  Logon Type:   10  New Logon:
    Security ID:  S-1-5-21-1041407026-3092459738-4196301295-1105  Account Name:  kevinadmin  Account Domain:  TESTDOMAIN  Logon ID:  0xf0e974  Logon
    GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0xa68  Process Name:  C:\Windows\System32\winlogon.exe
    Network Information:  Workstation Name: WIN7-1  Source Network Address: 10.101.4.200  Source Port:  59863  Detailed Authentication Information:
    Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
    generated when a logon session is created. It is generated on the computer that was accessed. [END]";

    ******************Second Event:****************

    2017 Apr 05 17:21:50 WinEvtLog: Security:
    AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: kevinadmin: TESTDOMAIN: Win7-1.testdomain.local: An account was successfully logged
    on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN7-1$  Account Domain:  TESTDOMAIN  Logon ID:  0x3e7  Logon Type:   10  New Logon:
    Security ID:  S-1-5-21-1041407026-3092459738-4196301295-1105  Account Name:  kevinadmin  Account Domain:  TESTDOMAIN  Logon ID:  0xf0e955  Logon
    GUID:  {EB48240D-5BF5-EBB7-F12B-42A958DE4B6A}  Process Information:  Process ID:  0xa68  Process Name:  C:\Windows\System32\winlogon.exe
    Network Information:  Workstation Name: WIN7-1  Source Network Address: 10.101.4.200  Source Port:  59863  Detailed Authentication Information:
    Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
    generated when a logon session is created. It is generated on the computer that was accessed. [END]";

    Wednesday, April 5, 2017 10:00 PM

Answers

  • Hi,

    I assume you met the following scenario event.

    When a user logon, two events get logged with event ID 4624. the only difference between them is followings:-

    Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Logon GUID:  {user GUID }

    Logon GUID: {00000000-0000-0000-0000-000000000000} is for anything other than Kerberos, Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

    You can refer the following article:

    Deciphering Account Logon Events

    http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447934.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Proposed as answer by AlvwanModerator Thursday, April 6, 2017 8:29 AM
    • Edited by AlvwanModerator Thursday, April 6, 2017 8:32 AM
    • Marked as answer by ktgeil Tuesday, April 11, 2017 10:04 AM
    Thursday, April 6, 2017 8:29 AM
    Moderator

All replies

  • Hi,

    I assume you met the following scenario event.

    When a user logon, two events get logged with event ID 4624. the only difference between them is followings:-

    Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Logon GUID:  {user GUID }

    Logon GUID: {00000000-0000-0000-0000-000000000000} is for anything other than Kerberos, Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

    You can refer the following article:

    Deciphering Account Logon Events

    http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447934.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Proposed as answer by AlvwanModerator Thursday, April 6, 2017 8:29 AM
    • Edited by AlvwanModerator Thursday, April 6, 2017 8:32 AM
    • Marked as answer by ktgeil Tuesday, April 11, 2017 10:04 AM
    Thursday, April 6, 2017 8:29 AM
    Moderator
  • Thanks Alvin, that is a useful article.  So, does the  logon event with a non-Kerberos GUID represent initial communication with the Domain Controller before the Kerberos TGT is issued?

    Thanks for the help!

    Kevin
    Thursday, April 6, 2017 11:06 AM
  • Hi Kevin,

    <<< So, does the  logon event with a non-Kerberos GUID represent initial communication with the Domain Controller before the Kerberos TGT is issued? >>>

    No, below is the explanation.

    Logon GUID [Type = GUID]: a GUID that can help you correlate this event with another event that can contain the same Logon GUID, “4769(S, F): A Kerberos service ticket was requested event on a domain controller.

    It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same Logon GUID, “4648(S): A logon was attempted using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.”

    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.

    More information here:

    4624(S): An account was successfully logged on.

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4624

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 10, 2017 2:50 AM
    Moderator
  • Alvin, thank you very much for helping make this clear for me. 

    Kevin

    Tuesday, April 11, 2017 10:05 AM
  • Hi Kevin,

    You're welcome.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 11, 2017 10:55 AM
    Moderator
  • This is happening because of UAC.

    By default, when a user logon to the system, two logon success entries are added to event log. This is directly because of User Account Control (UAC) feature which was introduced with windows vista. Whenever a user with any privilege other than default user privilege logins, two session tokens are created resulting in two logon success events with different logon ids. Even If the logged-in user is an administrator, the applications that doesn't explicitly request administrator privilege will be running on standard user permissions. If an application requires administrator privileges, they request for admin access privilege and then run on that session.


    By default, standard users and administrators access resources and run apps in the security context of standard users. 
    When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed.
    A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. 

    In short, two sessions are created. One with admin privilege and one with standard user privilege. Both are terminated when the user log off with 4634 (unless there is token leak issue).

    - How to disable two sessions for single logins ?

         The User Account Control Settings option provides a slider to control UAC level. This doesn't completely disable UAC. Instead it provides direct 'Grant'  response for all requests. In order to fully disable UAC we must disable the policy User Account Control: Run all administrators in Admin Approval Mode in  Local Security Policy -> Local policies -> Security option.
         By default, admin approval mode is enabled and all systems will generate two sessions for single logon.

    - Cases of single session per login

        There is a policy User Account Control: Use Admin Approval Mode for the built-in Administrator account which is DISABLED BY DEFAULT. As a reason, when a user login to local administrator account there will be only one session with complete admin privilege and only one login event will be generated. 

    • Edited by afsalv Thursday, December 7, 2017 5:04 AM
    Wednesday, December 6, 2017 1:46 PM