locked
Could someone have gotten into my computer manually? RRS feed

  • Question

  • Hi guys, I have a few questions. I left my computer in sleep mode (I have password protected account), and I live with crazy roommates. I left it like that on 1.9. during the night.

    On 2.9 during whole day I was away, left my computer in my room.

    I began suspecting that they have invaded my laptop during that day due to one thing. So I checked event viewer, security log. I talked with friend of mine, he told me to look for event ID 4648, that one shows whether someone has logged in into your computer using password credentials,I have found out that nobody during that time. I am still not calm though.

    I checked other security logs that happened during that day, since the moment I put my computer in sleep mode, there have been processes running in the background, at night at 2:30 I had mix of 4624+4672, and since then,  there have been always 4 system ingegrity event ids 5062 exchanging with 1x logon 4624, and 1x special logon 4672, every couple hours till the moment I came home in the evening and logged in.

    So, question is:

    1. If I have password protected computer, does that mean that it will require password each and every time, no exceptions, when someone opens computer and recovers it from sleep mode?

    2. Is it possible for 4624 and 4672 event ids in Security log, at the moment they happen,and perhaps a few seconds/minutes later, since they mean Log on and Special log on to "break" the log in screen, and if someone opened my laptop at that moment to be actually logged in? Without need to put in the password?

    3. At one suspicious time I had also in Application log event id: 1005. -  Customer Experience Improvement Program. What does it mean and does this event happen only when computer is logged in for real, or is it some background process that happened during sleep mode?

    Thanks a lot. Have  a nice day.

    Monday, September 5, 2016 11:12 AM

Answers

  • Hi faergorko,

    >1. If I have password protected computer, does that mean that it will require password each and every time, no exceptions, when someone opens computer and recovers it from sleep mode?

    For windows system, in password protected mode, you will always need to enter username/password to logon; however, as we know, there might be some specific tools to break into your computer without knowing the correct password.

    >2. Is it possible for 4624 and 4672 event ids in Security log, at the moment they happen,and perhaps a few seconds/minutes later, since they mean Log on and Special log on to "break" the log in screen, and if someone opened my laptop at that moment to be actually logged in? Without need to put in the password?

    Event 4624 along with event 4672, might indicate a specific account is logged on your computer, generally, it may be an admin account with high rights. Please check the detailed information of event 4672 to see which account is logged in.

    (Event 4624: An account was successfully logged on.

    Event 4672: Special privileges assigned to new logon.)

    If you didn't login at that time, I think you should be vigilant!

    >3. At one suspicious time I had also in Application log event id: 1005. -  Customer Experience Improvement Program. What does it mean and does this event happen only when computer is logged in for real, or is it some background process that happened during sleep mode?

    Event 1005 (Application): Restart Manager attempts to detect applications and services that are using resources needed for program installation or updates. If this detection process is successful, event 10005 is logged and the event details contain a list of the applications and services using the required resources. This indicates that Restart Manager succesfully detected resource requirements, but that a system restart might be required to complete the operation.

    https://technet.microsoft.com/en-us/library/cc774638(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 9:23 AM
  • I looked at the 4624, detailed information and it says: logon type 5, which is a logon caused by application.

    Little below was also specific program that caused this, it was: services.exe

    this thing has been appearing during whole day every few hours.

    I looked it up, if someone manually opened my computer, it would be either logon type 2 or logon type 7. However, it has been showing me logon type 5 the whole time. So, it was just services.exe working in the background the whole time,right?:)

    So, computer was waking up from sleep just because of that one thing.

    Also, if someone manually entered my computer, it would show up as event id 4648, right? I tried it couple of times, and it always showed 4648.

    So does that mean that nobody has messed with my computer and it has been waking up from sleep every few hours (therefore 4624 and 4672) just because of services.exe running in the background?

    Thanks


    Tuesday, September 6, 2016 10:24 AM

All replies

  • Hi faergorko,

    >1. If I have password protected computer, does that mean that it will require password each and every time, no exceptions, when someone opens computer and recovers it from sleep mode?

    For windows system, in password protected mode, you will always need to enter username/password to logon; however, as we know, there might be some specific tools to break into your computer without knowing the correct password.

    >2. Is it possible for 4624 and 4672 event ids in Security log, at the moment they happen,and perhaps a few seconds/minutes later, since they mean Log on and Special log on to "break" the log in screen, and if someone opened my laptop at that moment to be actually logged in? Without need to put in the password?

    Event 4624 along with event 4672, might indicate a specific account is logged on your computer, generally, it may be an admin account with high rights. Please check the detailed information of event 4672 to see which account is logged in.

    (Event 4624: An account was successfully logged on.

    Event 4672: Special privileges assigned to new logon.)

    If you didn't login at that time, I think you should be vigilant!

    >3. At one suspicious time I had also in Application log event id: 1005. -  Customer Experience Improvement Program. What does it mean and does this event happen only when computer is logged in for real, or is it some background process that happened during sleep mode?

    Event 1005 (Application): Restart Manager attempts to detect applications and services that are using resources needed for program installation or updates. If this detection process is successful, event 10005 is logged and the event details contain a list of the applications and services using the required resources. This indicates that Restart Manager succesfully detected resource requirements, but that a system restart might be required to complete the operation.

    https://technet.microsoft.com/en-us/library/cc774638(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 9:23 AM
  • Hi faergorko,

    Besides, since Security Forum is more related with certificates, and your questions seems more related with PC, if you need further help to check into the log, you may turn to Client Forum for more professional help:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=win10itprosecurity

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 9:27 AM
  • I looked at the 4624, detailed information and it says: logon type 5, which is a logon caused by application.

    Little below was also specific program that caused this, it was: services.exe

    this thing has been appearing during whole day every few hours.

    I looked it up, if someone manually opened my computer, it would be either logon type 2 or logon type 7. However, it has been showing me logon type 5 the whole time. So, it was just services.exe working in the background the whole time,right?:)

    So, computer was waking up from sleep just because of that one thing.

    Also, if someone manually entered my computer, it would show up as event id 4648, right? I tried it couple of times, and it always showed 4648.

    So does that mean that nobody has messed with my computer and it has been waking up from sleep every few hours (therefore 4624 and 4672) just because of services.exe running in the background?

    Thanks


    Tuesday, September 6, 2016 10:24 AM
  • Hi faergorko,

    >So does that mean that nobody has messed with my computer and it has been waking up from sleep every few hours (therefore 4624 and 4672) just because of services.exe running in the background?

    I searched the related events mentioned by you, the meaning is as you descripted, so it seems you are right.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 13, 2016 2:01 AM
  • Hi faergorko,
    Could the above replies be of help? If yes, you may mark it as answer, if not, feel free to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 21, 2016 7:31 AM