none
Lots of "Special Logon" events for computer account?

    Question

  • I have a domain controller running Windows 2008 R2 (computer name is hyperv, domain name is cdm.local).

    This machine/network is only used by 3 people at the most.

    Every couple seconds my Security log shows:

    4672  Special Logon
    4624  Logon
    4634  Logoff

     

    I've read that I can turn off this logging, but this is normal? 

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/23/2010 9:53:47 AM
    Event ID:      4672
    Task Category: Special Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      HyperV.cdm.local
    Description:
    Special privileges assigned to new logon.

    Subject:
     Security ID:  SYSTEM
     Account Name:  HYPERV$
     Account Domain:  CDM
     Logon ID:  0x4403fd

    Privileges:  SeSecurityPrivilege
       SeBackupPrivilege
       SeRestorePrivilege
       SeTakeOwnershipPrivilege
       SeDebugPrivilege
       SeSystemEnvironmentPrivilege
       SeLoadDriverPrivilege
       SeImpersonatePrivilege
       SeEnableDelegationPrivilege
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4672</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12548</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2010-07-23T14:53:47.568593200Z" />
        <EventRecordID>2207502</EventRecordID>
        <Correlation />
        <Execution ProcessID="784" ThreadID="1576" />
        <Channel>Security</Channel>
        <Computer>HyperV.cdm.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">HYPERV$</Data>
        <Data Name="SubjectDomainName">CDM</Data>
        <Data Name="SubjectLogonId">0x4403fd</Data>
        <Data Name="PrivilegeList">SeSecurityPrivilege
       SeBackupPrivilege
       SeRestorePrivilege
       SeTakeOwnershipPrivilege
       SeDebugPrivilege
       SeSystemEnvironmentPrivilege
       SeLoadDriverPrivilege
       SeImpersonatePrivilege
       SeEnableDelegationPrivilege</Data>
      </EventData>
    </Event>

    Friday, July 23, 2010 3:24 PM

Answers

  • This is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. So, don't worry.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    • Marked as answer by cmay Monday, July 26, 2010 1:28 PM
    Monday, July 26, 2010 8:09 AM
  • Hi,

    Thanks for the post.

    Please understand that the event 4672 lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  For instance you will see event 4672 in close proximity to logon events 4624 for administrators since administrators have most of these admin-equivalent rights. 

    This is a useful right to detecting any "super user" account logons.  Of course this right is logged for any server or applications accounts logging on as a batch job (scheduled task) or system service.

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 26, 2010 6:30 AM
    Moderator

All replies

  • Hi,

    Thanks for the post.

    Please understand that the event 4672 lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  For instance you will see event 4672 in close proximity to logon events 4624 for administrators since administrators have most of these admin-equivalent rights. 

    This is a useful right to detecting any "super user" account logons.  Of course this right is logged for any server or applications accounts logging on as a batch job (scheduled task) or system service.

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 26, 2010 6:30 AM
    Moderator
  • This is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. So, don't worry.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    • Marked as answer by cmay Monday, July 26, 2010 1:28 PM
    Monday, July 26, 2010 8:09 AM
  • This is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. So, don't worry.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Does this type of error cause the broadband to cut connection? I have a lot of security reports- both failures and successes- that appear to coincide with reboots of my modem. As usual theres never any warning unless youre watching Event Viewer or you watch your broadband lights mysteriously vanish. Once is bad enough, but this is happenning every hour and a half on average, and its beginning to get annoying.

    Sunday, November 06, 2011 6:53 PM