none
Question regarding event 4634 and 4624 RRS feed

  • Question

  • Dear Microsoft,

    I have had an intruder in my computer system in various ways over 1 year of time.  No person I have hired can help me

    Enclosed is information from my event viewer.  Just wondering if this could be part of an intruder?  I really need help in resolving this

    issue, both mentally and aaaurance of computer security .  Thank you for any help you may offer.  Also, is there a way or program to reveil

    who logs onto my computer and identifies the person and computer?  I have tried sending my concerns (freak out) to Microsoft before.  I never

    received any help of answers, both from phone calls and emails.  Once again, thank you.

     

    Cheryle K.

     

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/19/2011 11:11:28 AM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      cherylefula
    Description:
    An account was successfully logged on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    New Logon:
     Security ID:  ANONYMOUS LOGON
     Account Name:  ANONYMOUS LOGON
     Account Domain:  NT AUTHORITY
     Logon ID:  0xa2226a
     Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Process Information:
     Process ID:  0x0
     Process Name:  -

    Network Information:
     Workstation Name: CORPORATETAX
     Source Network Address: 192.168.1.117
     Source Port:  49194

    Detailed Authentication Information:
     Logon Process:  NtLmSsp
     Authentication Package: NTLM
     Transited Services: -
     Package Name (NTLM only): NTLM V1
     Key Length:  128

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4624</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2011-04-19T18:11:28.300626100Z" />
        <EventRecordID>2714</EventRecordID>
        <Correlation />
        <Execution ProcessID="552" ThreadID="2768" />
        <Channel>Security</Channel>
        <Computer>cherylefula</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-5-7</Data>
        <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0xa2226a</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">CORPORATETAX</Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">NTLM V1</Data>
        <Data Name="KeyLength">128</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">192.168.1.117</Data>
        <Data Name="IpPort">49194</Data>
      </EventData>
    </Event>

     

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/19/2011 11:11:28 AM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      cherylefula
    Description:
    An account was successfully logged on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    New Logon:
     Security ID:  ANONYMOUS LOGON
     Account Name:  ANONYMOUS LOGON
     Account Domain:  NT AUTHORITY
     Logon ID:  0xa2226a
     Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Process Information:
     Process ID:  0x0
     Process Name:  -

    Network Information:
     Workstation Name: CORPORATETAX
     Source Network Address: 192.168.1.117
     Source Port:  49194

    Detailed Authentication Information:
     Logon Process:  NtLmSsp
     Authentication Package: NTLM
     Transited Services: -
     Package Name (NTLM only): NTLM V1
     Key Length:  128

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4624</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2011-04-19T18:11:28.300626100Z" />
        <EventRecordID>2714</EventRecordID>
        <Correlation />
        <Execution ProcessID="552" ThreadID="2768" />
        <Channel>Security</Channel>
        <Computer>cherylefula</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-5-7</Data>
        <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0xa2226a</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">CORPORATETAX</Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">NTLM V1</Data>
        <Data Name="KeyLength">128</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">192.168.1.117</Data>
        <Data Name="IpPort">49194</Data>
      </EventData>
    </Event>

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/19/2011 11:11:38 AM
    Event ID:      4634
    Task Category: Logoff
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      cherylefula
    Description:
    An account was logged off.

    Subject:
     Security ID:  ANONYMOUS LOGON
     Account Name:  ANONYMOUS LOGON
     Account Domain:  NT AUTHORITY
     Logon ID:  0xa22292

    Logon Type:   3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4634</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12545</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2011-04-19T18:11:38.581044200Z" />
        <EventRecordID>2717</EventRecordID>
        <Correlation />
        <Execution ProcessID="552" ThreadID="672" />
        <Channel>Security</Channel>
        <Computer>cherylefula</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserSid">S-1-5-7</Data>
        <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0xa22292</Data>
        <Data Name="LogonType">3</Data>
      </EventData>
    </Event>

     

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/19/2011 11:11:38 AM
    Event ID:      4634
    Task Category: Logoff
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      cherylefula
    Description:
    An account was logged off.

    Subject:
     Security ID:  ANONYMOUS LOGON
     Account Name:  ANONYMOUS LOGON
     Account Domain:  NT AUTHORITY
     Logon ID:  0xa22292

    Logon Type:   3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4634</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12545</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2011-04-19T18:11:38.581044200Z" />
        <EventRecordID>2717</EventRecordID>
        <Correlation />
        <Execution ProcessID="552" ThreadID="672" />
        <Channel>Security</Channel>
        <Computer>cherylefula</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserSid">S-1-5-7</Data>
        <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0xa22292</Data>
        <Data Name="LogonType">3</Data>
      </EventData>
    </Event>

    • Moved by Tim QuanModerator Wednesday, April 20, 2011 2:11 AM (From:Backup – Windows and Windows Server)
    Tuesday, April 19, 2011 6:44 PM

All replies

  • I'm no security expert but I do know something about the Logon events. Forgive me if I'm telling you stuff you already know.

    • The errors have a "Logon Type: 3" which means it is someone accessing your PC from a network. This is common if you have shared files/printers or run a webserver (like IIS).
    • The fact that the user name is "Anonymous Logon" also points to an IIS webserver.
    • Their is also information about the PC that the request came from
      Workstation Name: CORPORATETAX
      Source Network Address: 192.168.1.117
      This implies that the person's PC was called CORPORATETAX and their IP address came from a local computer on your network (192.168.x.x are from your local network)

    First I would make sure you have enabled a firewall on your computer to block anything external getting in.

    Can you tell us a bit more about your PC, e.g. what is your Operating System and Service Pack.

    Do you have IIS or another web server installed on your PC?


    Thom McKiernan (UK) @thommck | thommck.wordpress.com | MCSA | MCTS
    Wednesday, June 8, 2011 4:23 PM