Over 1 million tech questions and answers.

Several log entries of event 4624 in security auditing

Q: Several log entries of event 4624 in security auditing

I have several of these logs reported followed shortly by an event 4634. What the heck is this. Is someone logging onto my computer when I get on it?

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/21/2012 9:23:56 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: JohnsRig-PC
Description:
An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xbf508f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: TRACI
Source Network Address: 192.xxx.xxx.3
Source Port: 49182

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-10-22T02:23:56.295740600Z" />
<EventRecordID>36226</EventRecordID>
<Correlation />
<Execution ProcessID="620" ThreadID="4976" />
<Channel>Security</Channel>
<Computer>JohnsRig-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-7</Data>
<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0xbf508f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">TRACI</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V1</Data>
<Data Name="KeyLength">128</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.xxx.xxx.3</Data>
<Data Name="IpPort">49182</Data>
</EventData>
</Event>

RELEVANCY SCORE 200
Preferred Solution: Several log entries of event 4624 in security auditing

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Several log entries of event 4624 in security auditing

See this article Event 4624 null sid - Repeated security log to know about the event 4624 null sid

Read other 1 answers
RELEVANCY SCORE 74

Hi, and thanks for your help, in advance.It very nice to be there.
 
 
I have a nearly brand new Msi computer with Windows 8.1
 
I had noticed wierd entries in my event viewer Security log, attempts were made to query a blank password for my accounts.  That was the initial post.  I believe this to have been resolved.  However, I would like someone to take a deeper look, because it always says guest accounts in the event with this error (invité mean guest in french).
 
I have Avast! and Comodo, and they say i am clean
---
 
No apps deleted, there is details about the event:

-

System


 

 


-

Provider


 

 

 

[ Name]

Microsoft-Windows-Security-Auditing

 

 

 

[ Guid]

{54849625-5478-4994-A5BA-3E3B0328C30D}



 

 


 

EventID

4797


 

 


 

Version

0


 

 


 

Level

0


 

 


 

Task

13824


 

 


 

... Read more

A:Windows Event id 4797 and 4624

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/572003 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 11 answers
RELEVANCY SCORE 73.2

Hello,

I have a system that many Event ID 4624 Successful (Anonmymous) Logon with the corresponding 4634 Logoff's. The account name is ANONYMOUS, with NO network information what so ever on any of the event entries with the account domain as NT AUTHORITY. There is a total of 1185 over a 12 month period.
These are all Logon Type 3 (network)
Are there any legitimate reasons for this? How come there is NO source IP or workstation name listed on any of these? This is on a Windows Vista system. There is an a IIS_IUSR account, but the system is not suppose to be running a webservice. Though not sure how I can check. Is there any registry keys that would show this? All I have is a dead system image, and I can't boot it up.
Thanks,

A:Event ID 4624 Successful (Anonmymous) Logon

Hmmmm...
Network (i.e. connection to shared folder on this computer from elsewhere on network)
(logon type 3).

I would remove remote access if you have this established. I'm not knowledgeable about this message and it may refer to something innocent, but let's go ahead and close access if that is currently available.

Read other 1 answers
RELEVANCY SCORE 72.4

Hi;
I am running XP Home SP2 and hopefully all clean, but have just noted in EventViewer/Security- many new entries with each start, or retsart such as,

"An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\schannel.dll : Schannel"

That's an example of one of the earlier ones on May 17.
This is on from just a few minutes ago,

"A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: RASMAN

For more information, see Help and Support Center at "

I have no idea of what RASMAN is.

Windows Firewall is running.

Looking forward to any help- Thanks much.

Roger

A:Event Viewer / Security- Many New Entries

Quote:





Originally Posted by Processlibrary.com


rasman.exe is a Windows service which is used to dial phone numbers from the phone book. This program is important for the stable and secure running of your computer and should not be terminated.




More than likely it is just services starting/restarting. It may also make an entry when you boot up or shut down.

You can clear the log, reboot and see what all pops up.

Read other 2 answers
RELEVANCY SCORE 70

Hi,
We have observed too many recurring Logon / Logoff events (Event IDs: 4624, 4672, 4634, 4648) on a workstation running Windows 7. This is context we have following queries;
1- If a Windows 7 workstation is Turn On and on Screen Lock State, does windows allows / create login session for any application running in background? or due to internet updates like antivirus definition update / windows update?
2- If a Windows 7 workstation is Turn On and Logged In, does windows allows / create additional login sessions for any application running in background during an existing login session?

Read other answers
RELEVANCY SCORE 69.6

Hi all, and thanks in advance.
 
I have a new Windows 8.1 Dell laptop (one week old).  Windows is fully updated, as is Firefox (with NoScript and Web of Trust), Avast! free, and Malwarebytes.  I have not used Windows 8 before so I am not sure what is normal.  The computer runs fine, but I need to use my computer for sensitive financial information on occasion, so I need to be sure.
 
One odd event yesterday had me digging in the event viewer.  I found 2 types of events that unsettled me.
 
1)  I was playing a game when the screen flashed black, twice.  I have only integrated graphics, but this is not a graphically intensive game (Dungeon Crawl, if you know it). I checked my graphics drivers and they are up to date.  A look at the event viewer revealed three items in the security log: a blank password query followed by a logon and then a special logon.
 
I have copied and pasted them, separated by "---".  There was a lot of code after each event that I haven't posted to save space; also, I've "XXXXX"ed out the name of the computer and the account.
 
 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/10/2014 1:14:13 PM
Event ID:      4797
Task Category: User Account Management
Level:         Informat... Read more

A:Odd Entries in Security Logs of Event Viewer - Infection or Windows 8 Oddity?

See the post here http://social.technet.microsoft.com/Forums/windows/en-US/e6db8fba-c2c8-47be-a992-96e383e34693/windows-8-event-id-4797-in-security-logThe last post states its not malware.You may want to ask in Win8 if they have more info.

Read other 7 answers
RELEVANCY SCORE 66.8

Hello Everybody,
We have a requirement in our project to audit all security relevant events on the system, including the start/stop of auditing functions. The problem is that windows is not registering the start of event log service when you manually stop/start the service.
There only an audit event on the system log, but linked to the system startup and not under security category when you do the start/stop manually. Is this a windows bug or a matter of configuration?
Best regards,
Alejandro.

Read other answers
RELEVANCY SCORE 60.8

Hi all,

Does anyone know how to turn off the security auditing in Windows XP Home? In Event Viewer > Security, I see a lot of "Success Audits" and I was hoping there was a way to turn them off. Thanks.
 

A:Help with Security Auditing in XP Home

Read other 6 answers
RELEVANCY SCORE 59.6

Should I be worried? Also I don't know if this is the right place to post this...

Code:
System


-
Provider

[ Name]
Microsoft-Windows-Security-Auditing

[ Guid]
{54849625-5478-4994-A5BA-3E3B0328C30D}





EventID
6281





Version
0





Level
0





Task
12290





Opcode
0





Keywords
0x8010000000000000




-
TimeCreated

[ SystemTime]
2013-01-26T20:14:21.908303300Z





EventRecordID
46291





Correlation




-
Execution

[ ProcessID]
4

[ ThreadID]
6656





Channel
Security





Computer
bluedragon





Security

-
EventData


param1
\Device\HarddiskVolume2\Windows\System32\VMWRP64.DLL




Edit:

I not certain but I seem to have a lot of warnings, errors, etc. Hopefully nothing serious.

A:Microsoft-Windows-Security-Auditing failure

Do you still need help with this? If so, please post back and I'll see what assistance I can provide.

Please provide these reports (even if not experiencing BSODs) so we can provide a complete analysis: https://www.eightforums.com/bsod-cra...tructions.html

Please also do this:
- open Event Viewer (eventvwr.msc)
- expand the Custom Views category (left click on the > next to the words "Custom Views")
- right click on Administrative Events
- select "Save all Events in Custom View as..."
- save the file as Admin.evtx
- zip up the file (right click on it, select "Send to", select "Compressed (zipped) folder")
- upload it with your next post (if it's too big, then upload it to a free file-hosting service and post a link here).

Read other 1 answers
RELEVANCY SCORE 59.2

Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by migrating to a new user account), I haven't had any problems.

Except maybe a week ago.

Consistently during use (either for simple browsing or whatever), I keep hearing multiple instances of the sound I hear whenever a new device is plugged in (i.e. USB Flash Disk). It's REALLY annoying.

At first I though it was because my graphics card was failing (it is). I though that because of this, whenever my PC needed to do graphics-processing intensive tasks, like downloading a large image, the card bugged out and so the PC responded by believing that the hardware was being plugged back in and out.

Apparently, this is wrong. I finally got fed up and checked my event viewer. Everything is hunky-dory EXCEPT the 'Security' category, which has an overwhelming number of events. I then monitored it and was witness to new events being created (as signified by the sound being played). Therefore, I can reliably assume that the sound I've been hearing has actually been this event happening over and over again.

Basically, every minute or so, a new event is created. It has the Event ID of 4798, Source: Security-Auditing, Task Category: User Account Management and Keywords: Audit Success.

I have hundreds of this. Please see attached image.

Any idea what could be the problem? Thanks!

A:Too Many 'Audit Success' Security-Auditing Events Happening

Did you ever find a solution? I'm having the identical issue with no luck searching the web for solutions. . .

Read other 2 answers
RELEVANCY SCORE 56

Hello:
My OS is Dell dim. 3000, win xp home, sp3, Toshiba 320GB USB external HD

I am struggling with a Toshiba external HD that works sometimes but generally turns on and off when first connected. I have done everything imaginable to determine if the problem is with the (new) drive itself or within my computer. I thought I had the problem fixed by formatting the drive yesterday with the Device Manger while it was in a working state. After several formats!, I placed a large amount of data/info on the external drive assuming it is now working but this morning the Toshiba drive is right back to turning on and off!!!

My last effort was to look at the Event Log (which I do not know how to read) and saw may events within the time frame of my Toshiba failures so here is the event log info - please help me understand the message and what to do about it...............

Applications:
The description for Event ID ( 0 ) in Source ( gusvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service stopped.

System [there are a huge number of yellow "Warning" listings under System like this]
The system failed to flush data to the transaction log. Corruption may occur.
... I am pretty sure these refer to the faulty performa... Read more

A:Event log entries

What is the exact model of the drive you have?

Also does it have it's own power source or does it get powered from the PC, and if from the PC does it have one or two USB cables that connect to the PC?
 

Read other 3 answers
RELEVANCY SCORE 55.2

I am still seeing unexpected restarts, though not as many as prior to upgrading from 7 to 10. However the event logs around today's restart were are a bumper crop, of which some I have not seen before. I hope someone will look at what I post below and advise me, please, if there is anything there to be worried about. For instance why the entry about Windows.old, removed as no longer required, is puzzling. Could my system be on the blink?


Code:
The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_
Generic-&Prod_Compact_Flash&Rev_1.01#058F63626420&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
and other similar warnings
Task Scheduler service found a misconfiguration in the NT TASK\Microsoft\Windows\Media Center\PvrRecoveryTask definition.
Additional Data: Error Value: %SystemRoot%\ehome\mcupdate.exe.
Task Scheduler service found a misconfiguration in the NT TASK\Microsoft\Windows\Media Center\PBDADiscoveryW1 definition
. Additional Data: Error Value: %SystemRoot%\ehome\ehPrivJob.exe.
and 16 other similar warnings
The server service was unable to recreate the share Windows.old because the directory C:\Windows.old no longer exists.
Please run "net share Windows.old /delete"
to delete the share, or recreate the directory C:\Windows.old.
Session "Pku2uLog" failed to start with the following error: 0xC0000035
and 4 other similar warnings
Name resolution for the name wpad timed out after none of the conf... Read more

A:Should these event entries worry me?

Looks like it got a hiccup during Housekeeping. Open a Command Window and run sfc /scannow and follow the info at DISM - Repair Windows 10 Image - Windows 10 Forums

Always read the stickys on the forum and check the tutorials first for suggested repair options. If you run into further issues, post exactly what the problem is and any error messages.

Read other 2 answers
RELEVANCY SCORE 54.8

The following log files were generated at a time when I was not present and my computer was turned off
it appears (to me, at least) that to have created these entries, one must have bypassed (or cracked) both the BIOS and windows passwords. Can any one tell me what has occurred here and what I can do to prevent future occurences of this nature?

system log:
Type Date Time Source Category Event User ComputerInformation 10/28/2006 8:40:50 PM eventlog None 6006 N/A PC120716747189
Error 10/28/2006 8:40:49 PM Service Control Manager None 7026 N/A PC120716747189
Error 10/28/2006 8:40:49 PM Service Control Manager None 7001 N/A PC120716747189
Error 10/28/2006 8:40:49 PM Service Control Manager None 7001 N/A PC120716747189
Error 10/28/2006 8:40:49 PM Service Control Manager None 7001 N/A PC120716747189
Error 10/28/2006 8:40:49 PM Service Control Manager None 7001 N/A PC120716747189
Error 10/28/2006 8:40:48 PM DCOM None 10005 SYSTEM PC120716747189
Error 10/28/2006 8:39:39 PM DCOM None 10005 SYSTEM PC120716747189
Error 10/28/2006 8:39:28 PM DCOM None 10005 Administrator PC120716747189
Information 10/28/2006 8:39:03 PM eventlog None 6005 N/A PC120716747189
Information 10/28/2006 8:39:03 PM eventlog None 6009 N/A PC120716747189
Information 10/28/2006 8:37:49 PM eventlog None 6006 N/A PC120716747189
Information 10/28/2006 8:18:39 PM Service Control Manager None 7036 N/A PC120716747189
Information 10/28/2006 8:18:34 PM Service Control Manager None 7036 N/A PC120716747189
Information 10/28... Read more

A:Event Log Entries Indicate....cracked?...hacked?

Hello:I see you are being helped here: http://www.bleepingcomputer.com/forums/t/72601/is-maxreexe-malware/I would suggest you tell SifuMike about this issue and paste in the link to this topic in addition to what he has already asked you for.Orange Blossom

Read other 2 answers
RELEVANCY SCORE 54.8

Recently I had MSN tell me that my account was compromised because of suspicious activity, and so I had to change my password. I've noticed no other suspicious activity on my computer, and repeated scans with a variety of AV solutions have showed nothing - however, there are a few event viewer logs that worry me:

Log Name: System
Source: Service Control Manager
Date: 1/19/2013 11:41:09 PM
Event ID: 7039
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: user-PC
Description:
A service process other than the one launched by the Service Control Manager connected when starting the Google Update Service (gupdate) service. The Service Control Manager launched process 5604 and process 2480 connected instead.

Note that if this service is configured to start under a debugger, this behavior is expected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="32768">7039</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2013-01-20T04:41:09.527116... Read more

A:Odd Entries in Event Viewer - Something to be Worried about?

can someone please help me with this?

Read other 1 answers
RELEVANCY SCORE 54.8

I have gotten an error message while trying to update to Daemon Tools 10 four different times now. The message that is displayed is "invalid server response http error 401" (number may be off, I know it began with a "4"), Which gets no hits on the internet at all, however, just "invalid server response" gets lots of hits, albeit pre?2011, version 4, and Windows XP. This is 2015, version 10, & Windows 7. The information from back then won't be of any use. I was trying to get the exact error message and more information so I can head up to Daemon Tools forums and post an inquiry?and that's when I noticed that the application logs stop at July 5th. I won't be able to give an exact reading of the problem because I can't find the application log for it. I see plenty of results for missing application logs, but missing all recent logs past a certain date seems to be an isolated issue because none of the problems posted on the internet seem to match my problem.

A:No Event Viewer entries since July 5th

Please download VEW by Vino Rosso http://images.malwareremoval.com/vino/VEW.exe
and save it to your desktop

Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.
Click the check boxes next to Application and System located under Select log to query on the upper left

Under Select type to list on the right click the boxes next to Error and Warning Note: Running Windows Vista or Windows 7 also click the box next to Critical (not XP).

Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run

Once it finishes it will display a log file in notepad
Please copy and paste its entire contents into your next reply

Read other 1 answers
RELEVANCY SCORE 54.8

Hi, I'm running Windows XP Pro, service pack 2. My computer has been acting strange lately - Browsing the internet is half (or less) as fast as usual, applications seem to load slower, quite often while browsing I get a "Page cannot be displayed error", this started about a month ago. I tried running AdAware and it prompted me for an update. When I tried, it would only get to 5% and then error out. I tried going to Trend (Housecall) but I kept getting errors and "Page cannot be displayed". In my event log, I see hundreds of errors like this one - Event Type: InformationEvent Source: MSSQL$SQLEXPRESSEvent Category: (2)Event ID: 17126Date: 12/28/2007Time: 6:38:26 PMUser: N/AComputer: WORKDescription:SQL Server is now ready for client connections. This is an informational message; no user action is required.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: e6 42 00 00 0a 00 00 00 ?B......0008: 10 00 00 00 57 00 4f 00 ....W.O.0010: 52 00 4b 00 5c 00 53 00 R.K.\.S.0018: 51 00 4c 00 45 00 58 00 Q.L.E.X.0020: 50 00 52 00 45 00 53 00 P.R.E.S.0028: 53 00 00 00 00 00 00 00 S.......The source of all these errors is MSSQL$SQLEXPRESS, the event category is always (2) but there are several different Event ID's. I am running an internet filter from AFO, but this filter has been running for months prior to my experiencing problems. I also did recently install the latest version of Nero. Has anyone ever... Read more

A:Strange Entries In My Application Event Log

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you have not followed the info in the link below prior to posting your log then please do so now:Preparation Guide for use before posting a HijackThis Log:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

Read other 1 answers
RELEVANCY SCORE 54.8

Hi, We had recently switched from MP9 G1's (that worked great) to G2's and have discovered that these machines randomly lock up when idle for long periods of time. For example, after leaving it on over night and checking back in the morning, the machine appears to be completely frozen - the display still outputting the desktop (although completely frozen). The keyboard does not respond to any key presses and network activity is lost (can't remote desktop in for example).  A force reboot is required. Looking through event viewer logs, it suddenly stops logging at the time it freezes - nothing stands out, no bugchecks or BSOD related messages. I enebaled automatic restart and the generation of debug dump files, however the machine still freezes without displaying a BSOD or generating any files. We've experienced this on roughly half of the 40 units we have on testing. BIOS version/date is HP N21 Ver. 02.05, 11/11/2015OS: WES7 All drivers have been uninstalled/reinstalled/update Power settings have been changed to try troubleshoot. We ran Memtest, Prime95 and various other hardware stress tests and cannot replicate the issue. It's also not guranteed that if we left the machine idle for 24 hours that it would definitly lock up. Any ideas?

Read other answers
RELEVANCY SCORE 54.8

Hello,
Many of our machines are experiencing Excessive Event ID 4673 entries. 6 to 11 times each and every second, day after day ... Process Name: C:\program files\Realtek\Audio\HDA\WavesSvc64.exe

Quickest fix found so far is by uninstalling the sound card driver in the Device Manager and to scan for hardware changes.

There are just too many machines to do this to. 
Why would this be happening and what can be done to stop this event ID from occurring?
Do not want to go to every machine and re-install sound driver.

Thank you

Read other answers
RELEVANCY SCORE 54

Hi,

I'm quite consternated and I'd love to hear your opinions on this. The story:

I'm experiencing strange restarts but not random, I can routinely replicate it. After a boot IF I leave the logon screen alone (i.e. without logging in), the system restarts itself almost like automatically after about 10 seconds. If I do log in within the 10 seconds interval, the login is successful and the restart won't occur. So no restarts while working.

Logically, I started searching the Event log; that's where I discovered the scary part (after some tests and trials):

The entire "restarted" session is missing!

Like:

20:00 I shutdown the computer (from Windows start menu).

20:10 I start the computer. The log on screen appears. 10 seconds pass and said automatic restart occurs.

20:20 I start the computer, log in within 10 seconds interval and start working (and searching the Event log).

In the Event log around 20:00 there are usual shutdown routine entries.
Around 20:20 there are usual boot up routine entries.
There are absolutely NO log entries indicating the system was run at 20:10 at all!!!
(Only exception is rather cheeky:
"The previous system shutdown at 20:11:03 on ‎3.‎12.‎2009 was unexpected.")
There are NO log entries (Application/Security/System) with any such time.

I find this extremely confusing.

I suspected Microsoft Security Essentials because there was one time that the restart occurred shortly AFTER I ... Read more

A:MSE, restarts before login, missing event log entries

Try another free antivirus - and scan the system to rule out malware.

Read other 1 answers
RELEVANCY SCORE 54

My Event Viewer entries regularly include these:
Source- Dlcp
Event- 1007

Source- Service Control Manager
Event- 7023

Both are marked with symbols that I take as needing serious attention.

What is occurring? Need I do something?

Thanks, {redoak}
 

A:Desire Event Viewer entries info

Read other 6 answers
RELEVANCY SCORE 54

So my computer randomly freezes up and when I boot up there are no log entries of the event. There are however always 3 log entries but I don't believe they are related to the actual problem. The 3 that are always there are: 6008, 7026 and 41.

Now when I say it freezes I mean it literally freezes up. I do not get any blue screen or black screen or any errors it literally freezes as if I took a screenshot of my desktop and was looking at it. I can not use my mouse or keyboard I can not hear anyone in a skype call or anything it is FROZEN. The only way I am able to reboot it is by holding the power button which thus gives me the error code 41 above.

Computer Specs:
OS: Windows 7 64 bit
CPU:i5 2500k
GPU: GTX 560TI
MOBO: GIGABYTE GA-Z68XP-UD3
RAM: 12 GB G.SKILL Ripjaws Series DDR3 1600

Please please someone tell me what they need to help me resolve this problem. It is very annoying to be in the middle of something and my computer freezes up. It has happened in the middle of work and I lose everything and in the middle of gaming and well that's never a good thing. Anything you need please just tell me I really need to get this fixed, as a side note it is the 4th fresh install of windows 7 so please dont just drop by and say install windows again because I have tried that.

I also know it is not a heating issue as I keep a monitor on my GPU/CPU temps and they are never high not to mention the computer freezes sometimes while just browsing the internet and has not frozen while ... Read more

A:Random Computer Freezes With NO Event Log Entries

It could be a hard drive that is going bad or corrupted. A very common sign that a hard drive failure is imminent. To check a hard drive, click start orb and right click computer, select properties and then in the open window select tools tab. Then click the check now tab in the Error-checking box.

Read other 6 answers
RELEVANCY SCORE 54

Hello,

I have a home built machine that has been running without issue for a few months. On Friday, out of nowhere my screen completely froze (no change in clock, etc.) without any response to keyboard strokes, mouse clicks, CTRL+ALT+DEL, and so on. Some applications were running but I wasn't using the keyboard/mouse at the time of the lock up. I then did a hard reboot, and everything ran fine for a few hours when another freeze occurred - again, nothing in event log to indicate what occurred before the freeze.

I began going through some troubleshooting like SFC scan and wasn't really finding anything until I noticed that my Windows Experience Score needed to be refreshed b/c new hardware had been detected (it may have been this way for a long time, I'm never in the control panel during my normal usage). Anyhow, just for the heck of it I decided to click the button to refresh my score. The update began to progress normally "Running the Direct3D..." then "Running the ...." and so forth until it got to "Tuning Windows Media Decoding" at which point it froze. I assumed that it was just time for another random freeze, but after hard rebooting and attempting to refresh the Windows Experience Score again it froze at the same point in the update "Tuning Windows Media Decoding". I verified that it was reproducible this way 4 times.

So I guess my question is, what occurs during this update either at or immediately after the "Tuning... Read more

A:Reproducible Win7 64-bit lock up - no event log entries

Try the free video tests (and Prime 95) here: Additional Hardware Diagnostics

Update your video drivers
Check the video card to ensure that it has power, that the fan is running and that the cooler isn't obstructed or covered with dirt/dust.
Monitor temps to see if they spike as the problem occurs.

Read other 9 answers
RELEVANCY SCORE 53.6

hi all,

i always check my boot time from event manager following this pattern:

Event viewer -> Applications and Services log -> Microsoft -> Windows -> Diagnostic Performance -> Operational

off late, i have noticed under Microsoft i get another entry along with Windows. it is IEResp. this was not present earlier.

further under Diagnostic Performance, there was only operational but now there are two more entries i.e Diagnostic and Diagnostic -loopback.

i have observed that my booting time has also gone up.

are these entries valid? why have they turned up? is it ok to keep them or is there any thing i need to do since these entries have turned up.

kindly drop ur views.
thanks,

A:Event Viewer: New Entries Under App. & Service Logs -> Microsoft

pls drop in your views

Read other 6 answers
RELEVANCY SCORE 53.6

This is technically a Windows Server 2003 question, but would apply to XP just the same.

The application event log of a server has 25,000+ entries, 22,000+ of them are from the same source and are no longer needed and can be archived. However, I don't want to archive the other 3,000 entries.

Does anyone know of a way that I can archive and purge a filtered set of log entries?
 

A:Purging / Archiving Selected Windows Event Log Entries

i dont think xp server supports part archiving. to the bet of my knowledge, it is save all or loose all so you just have to make your choice
 

Read other 1 answers
RELEVANCY SCORE 53.6

Hi there,
I have dozens of logon/logoff entries in my event viewer
most of which are supposedly done by NT AUTHORITY
or NETWORK SERVICE. Running WINXP HOME SP3 IE8

5/21/2012 1:58:01 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 1:57:58 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 9:43:51 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 9:43:51 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"

5/21/2012 7:17:49 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 7:17:49 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successf... Read more

A:Suspicious logon/logoff entries in event viewer

First what alerted you of these "warnings"?

Read other 13 answers
RELEVANCY SCORE 52.8

Hi all,

I've been having this laundry list of errors showing up in the Event Viewer app logs a few times per day since 6/10. I've tried to look into what it's about, but it doesn't seem to really be doing any harm (at least any that I can see) so without an application actually giving me a loss of noticeable functionality it's hard to say what it is.

Google has come up with it being an Office issue, which I don't have. I've also found information regarding the asp.net part of it, but trying any of the suggested fixes for both issues has failed 100%.

Does anyone know if this is actually anything to worry about, or how to stop it anyway? I can probably just ignore it but it does bug me knowing that something's failing constantly like that when it wasn't there prior to 6/10.

Attached a screenshot. In order from bottom to top on the screenshot, here's what the info states for each:
The Open Procedure for service ".NETFramework" in DLL "C:\WINDOWS\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
----------
Windows cannot open the 32-bit extensible counter DLL ASP.NET_1.1.4322 in a 64-bit environment. Contact the file vendor to obtain a 64-bit version. Alternatively, you can open the 32-bit extensible counter DLL by using the 32-bit version of Performance Monitor. To use this tool, open the Win... Read more

A:Repeat Perflib error entries in Event Viewer (Win10)

41 views and no replies?

/sigh
 

Read other 1 answers
RELEVANCY SCORE 52.8

Hi there,
I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which are supposedly done by NT AUTHORITY or NETWORK SERVICE. What's also weird is that I get some failed logon attempts as well. This happens every time. I should say that I do suspect someone on the same network (I am one of two clients hooked up to a router+modem that connects to the internet) of malicious activity. But I don't know if this is related. I have turned on logon/logoff auditing. The following is what I see upon waking up my PC from standby. You can see my actual logon occurring a few seconds after all the 'network services' have logged on.

4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 538 YOUR-699C5579F9\Laura YOUR-699C5579F9 "User Logoff:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x56CA957)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Successful Logon:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9
Logon GUID: {00000000-... Read more

A:Solved: Suspicious logon/logoff entries in event viewer

Read other 12 answers
RELEVANCY SCORE 52.8

Hi there,
I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which
are supposedly done by NT AUTHORITY or NETWORK SERVICE.

5/21/2012 1:58:01 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 1:57:58 PM Security Success Audit Policy Change
858 NT AUTHORITY\SYSTEM PAS Windows Firewall group policy settings have been applied.

5/21/2012 9:43:51 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 9:43:51 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -"

5/21/2012 7:17:49 AM Security Success Audit Privilege Use
576 NT AUTHORITY\NETWORK SERVICE PAS "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"

5/21/2012 7:17:49 AM Security Success Audit Logon/Logoff
528 NT AUTHORITY\NETWORK SERVICE PAS "Successful Logon:
User Name: NETWOR... Read more

A:Solved: Suspicious logon/logoff entries in event viewer

Read other 14 answers
RELEVANCY SCORE 52.4

Hi,

we have some servers (mainly for IIS roles) that sit behind a proxy server.
Is there a way to set the windows security event log to listen to x-forwarder headers (when present) and include the real source client IP in the event? I know that IIS does this automatically in it own log- however when searching for user lockout events
we do so in the windows security event log on the domain controller- not having the info there makes lockouts very difficult to track (sadly we have no siem or log management tool)

Read other answers
RELEVANCY SCORE 52.4

Hi there,

I bought a Sony Vaio VPCZ227GG almost 2 months back and its been running perfectly until the last week. There have been no hardware updates, system installs etc. only the recommended Sony Vaio Care driver udpates.

I will be using the laptop for a while and then it will just crash. The laptop stays on the screen it was on before the crash but the mouse, keyboard, basically everything is dead. The only way to cycle it is to power down.

I have attached all the files as per the BSOD posting instructions and would really appreciate any help or guidance.

System Spec
Windows 7-64 bit Came preinstalled
Intel? Core? i7-2640M Processor 2.80 GHz with Turbo Boost up
8GB Ram
256 SSD Drive
Intel Onboard Graphics
AMD Radeon External Graphics via Media Dock
Full Retail
Hardware and OS less than 2 months old.

Thanks

Adrian

A:Sony Vaio VPCZ227GG Freezes with no errors, event log entries or dumps

No DMP file in the upload, try this method.

We do need the DMP file as it contains the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.

If you are overclocking STOP

You may be able to get the DMP files without crashing by booting into safe mode (F8) with networking.

To enable us to assist you with your computer's BSOD symptoms, upload the contents of your "\Windows\Minidump" folder.

The procedure:





Quote:
* Copy the contents of \Windows\Minidump to another (temporary) location somewhere on your machine.
* Zip up the copy.
* Attach the ZIP archive to your post using the "paperclip" (file attachments) button.
*If the files are too large please upload them to a file sharing service like "Rapidshare" and put a link to them in your reply.



To ensure minidumps are enabled:





Quote:
* Go to Start, in the Search Box type: sysdm.cpl, press Enter.
* Under the Advanced tab, click on the Startup and Recovery Settings... button.
* Ensure that Automatically restart is unchecked.
* Under the Write Debugging Information header select Small memory dump (256 kB) in the dropdown box (the 256kb varies).
* Ensure that the Small Dump Directory is listed as %systemroot%\Minidump.
* OK your way out.
* Reboot if changes have been made.

Read other 7 answers
RELEVANCY SCORE 48

They look like this:


Code:
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 6/25/2013 9:28:37 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: ASUS-PC
Description:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: ASUS-PC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 5
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2a0
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon ... Read more

A:Odd security entries on my main PC

Sounds scary !

Read other 2 answers
RELEVANCY SCORE 48

Hi all,

I am running Windows XP Home Edition with Norton Internet Security connected to broadband.

I looked in my security log last week in Event Viewer and found about 10 entries for guest logging on and off every 100 of a second the last event is always a logoff.

The guest account is disabled and I have no warnings of an intrusion's in the Norton Firewall what can this be.

Thanks

A:Guest Entries In Security Log.

Install either Sygate 5.4 (I personally use) or Zone Alarm. But not both. This will allow you to see which programs are accessing the internet from your computer. I suspect a virus worm or trojan. I would recommend you run one if not all of the following free scans.. Trendmicro's Housecall Panda's ActiveScan F-secure's Virus Scan SyGate's Trojan scanHere is a full list of software I recommend you use.Antivirus (Run only one.)AVG Free Edition Antivirus (I personally use)Avast Home Edition Antivirus FreewareAntiVir Personal Edition Classic FreewareBitDefender 8 Free Edition AntiVirus FreewareAntispywareMicrosoft AntiSpyware Beta (2000,and XP only)SpybotAdAware SE Personal EditionEwido Security Suite - 14 day trial(2000, and XP only)A Squared FreeOnline scans Trendmicro's Housecall Panda's ActiveScan F-secure's Virus Scan SyGate's Trojan scanUtilitycCleanerEverest home (hardware and software information) (Diagnostic and system resource)Memtest86 "A Stand-alone Memory Diagnostic"MicroSoft's Memory TestDigtal Dolly (Hard drive utility)www.bootdisk.comFirewalls (Run only one.)Sygate 5.4 (I personally use)[url="http://www.download.com/ZoneAlarm/3000-10435_4-10434530.html?tag=lst-0-4"]Zone AlarmBest of all... they are free.

Read other 2 answers
RELEVANCY SCORE 48

Hello 
I have a problem with one of my  win 7 enterprise x64 machines.

I used remote pulpit function from pc i question to connect to a server i did what i had to do and disconnected (i also connected to a shred folder on that server) 
After some time administrator of that server informed me that the pc is trying to connect to it and leaves logs of events 5140 and 4624 how do i stop that pc from doing this ?
From what i got form looking at logs i can say that this happens when any user logs in at that pc. But i dont see why it dose this, there are no mapped drives, no scripts  or scheduler tasks that
could do this.

I would appreciate any suggestions how to resolve this.

Read other answers
RELEVANCY SCORE 48

I usually make a habit of checking Event Viewer (EV) on a regular basis, having installed new drivers and a new graphics card this morning, without a hitch, I decided to check EV since this was a rather big change to the system.

Sure enough there was some new entries. However when I looked into them, they offered little information as to what the problem was. When I used the link to see what online information was available, the Microsoft site came back with no information/fixes for this problem. These errors do not seem to be affecting anything, but I just wanted to know how you folks think I should proceed.

Here are the two errors and what info I could pull from EV:

Device Center -

- System
- Provider
[ Name] DeviceCenter
- EventID 0
[ Qualifiers] 0
Level 2
Task 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2013-01-28T15:58:54.000000000Z
EventRecordID 6396
Channel Application
Computer PC
Security
- EventData
Unknown Node:#text -->


Second error will be in the next post.

A:New Graphics Card new Event Viewer entries (NOT graphics related??)

The driver detected a controller error on \Device\CdRom0.

+ System
- EventData
\Device\CdRom0
0E00800001000000000000000B0004C001010000000000000000000008480700000000000000000005B9060000000000FFFF FFFF02000000580000840204000001200612080100000000000004010000000000000000000040538B0A80FAFFFF00000000 0000000010B0830A80FAFFFF000000000000000000000000000000001B000000020000000000000000000000700004000000 000A00000000530000000000000000000000
Binary data:

In Words

0000: 0080000E 00000001 00000000 C004000B
0008: 00000101 00000000 00000000 00074808
0010: 00000000 00000000 0006B905 00000000
0018: FFFFFFFF 00000002 84000058 00000402
0020: 12062001 00000108 00000000 00000104
0028: 00000000 00000000 0A8B5340 FFFFFA80
0030: 00000000 00000000 0A83B010 FFFFFA80
0038: 00000000 00000000 00000000 00000000
0040: 0000001B 00000002 00000000 00000000
0048: 00040070 0A000000 00000000 00000053
0050: 00000000 00000000

In Bytes

0000: 0E 00 80 00 01 00 00 00 ..?.....
0008: 00 00 00 00 0B 00 04 C0 .......?
0010: 01 01 00 00 00 00 00 00 ........
0018: 00 00 00 00 08 48 07 00 .....H..
0020: 00 00 00 00 00 00 00 00 ........
0028: 05 B9 06 00 00 00 00 00 .?......
0030: FF FF FF FF 02 00 00 00 ????....
0038: 58 00 00 84 02 04 00 00 X..?....
0040: 01 20 06 12 08 01 00 00 . ......
0048: 00 00 00 00 04 01 00 00 ........
0050: 00 00 00 00 00 00 00 00 ........
0058: 40 53 8B 0A 80 FA FF FF @S?.????
0060: 00 00 00 00 00 00 00 00 ........
0068: 10 B0 83 0A 80 FA FF F... Read more

Read other 3 answers
RELEVANCY SCORE 47.6

Running xp
I found the following entries with in the interface folder of my registry:
_Evidence
_IEvidenceFactory
_PermissionRequestEvidence

"In layman's term",...any idea what these are associated with?

Also....is it common for xp svchost and system to run or listen on ports 139 and 5000?

I also found 1 share and I am a single user.Share can not be disabled.

shared folder:IPC$ shared path type:windows connection:0 client:remote IPC

...any idea what this might be?

Used 3 reg clean programs and entries remain.Used 4 different trojan/virus removal programs,and didn't find anything

Info would be appreciated
thanx:
 

A:Odd registry entries and security questions

I can't give you a "lay" answer to the first question, as I'm not familiar with its functions either; but here is a "library" reference:

http://msdn.microsoft.com/library/d...fsystemsecurityievidencefactoryclasstopic.asp

It is normal for port 139 (a NetBIOS port) to be open when Print and File Sharing are enabled.

And on WinXP 5000 is associated with certain plugn play features, but can be closed if you want.

http://forums.techguy.org/showthread.php?s=&threadid=68099&highlight=port+5000
 

Read other 1 answers
RELEVANCY SCORE 47.6

Hi,

I have read the 2 other relevant threads in SevenForums (as well as many others on other sites) but I still have not found a solution to this issue.

My Lenovo T530 will randomly freeze an application for a couple of seconds at a time. The behavior is per application ie: Outlook may freeze but I can still use Chrome. Or Chrome may freeze but Acrobat still works. It can happen to pretty much any application at any unexpected time - sometimes a few times in an hour and sometimes once every few hours. The "freeze time" varies from barely noticeable to ~5 seconds.

I have definitely connected these freezes to events 4624 (An account was successfully logged on) and 4672 (Special privileges assigned to new logon) that appear in the event viewer under the Security Logs section but it is not clear to me what may cause them.

I have performed most of the tests/SFC/device driver/bios upgrade/malware scans that have been recommended (with no change). I have not completely ruled out some strange HDD issue - but I am not sure why such behavior would just start one day (when the laptop had been working perfectly for 8 months). Also there are intensive HDD tasks that produce no errors. The symptoms are not getting worse - it has been the same since it started happening.

Thanks in advance for any suggestions.

A sample Security Auditing 4624 event is pasted below:

______________________________________________
An account was successfully logged on.

Subject... Read more

A:Sporadic short freezes accompanied by 4624 and 4672 events

I have also now noticed that these events are immediately preceded by a 7036 event: "The Windows Error Reporting Service service entered the running state."

Not sure if this is causing the slowdown or is a response to some other event that is causing the slowdown. There is some relation since the logon 4624 event is from: Process Name: C:\Windows\System32\services.exe - which activates the error reporting service.

Is there a way to know why the Windows Error Reporting Service activates?

Happy to receive any suggestions.

Thanks

GF

Read other 2 answers
RELEVANCY SCORE 47.2

Hi



Where can I find an updated guide on the registry keys and entries of the latest version of Microsoft Security Essentials for all versions and editions of Windows 7 SP1?


Thanks


Bye

A:The Microsoft Security Essentials keys and entries

Apparently no one else... including me, knows what you're asking for
The same for your post here: http://www.sevenforums.com/system-se...s-entries.html

Read other 3 answers
RELEVANCY SCORE 46.4

Hi,

I'm just looking for some insight into these MS Security Essentials entries that only show up in my Event Viewer on Windows XP Pro SP3. I'd be happy to run the preliminary scans if asked to. Here's some of the entries:

Microsoft Antimalware has detected a suspicious behavior.
Name: Informational:Behavior/ModifiedKernel
ID: 3782179607
Severity: Low
Category: Suspicious Behavior
Path: process:0
Detection Origin: Unknown
Detection Type: Suspicious
Detection Source: Real-Time Protection
Status: Executing
User: Unknown\Unknown
Process Name: Unknown
Signature ID: 717259538435
Signature Version: AV: 1.75.625.0, AS: 1.75.625.0
Engine Version: 1.1.5406.0
Fidelity Label: Medium
Target File Name: spdr.sys

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And another:

Microsoft Antimalware has detected a suspicious behavior.
Name: Informational:Behavior/ModifiedKernel
ID: 272087700
Severity: Low
Category: Suspicious Behavior
Path: process:0
Detection Origin: Unknown
Detection Type: Suspicious
Detection Source: Real-Time Protection
Status: Executing
User: Unknown\Unknown
Process Name: Unknown
Signature ID: 717259538435
Signature Version: AV: 1.75.675.0, AS: 1.75.675.0
Engine Version: 1.1.5406.0
Fidelity Label: Medium
Target File Name: speb.sys

For more information, see Help and Support Center at http://go.microsoft.com/fwli... Read more

A:[SOLVED] Weird Microsoft Security Essentials Entries

Do you use DAEMON Tools or Alcohol 120%?

Read other 7 answers
RELEVANCY SCORE 46.4

Hi there,

Which registry settings should I change to set the top two default Windows rules back to 'Unrestricted' please?

I set up some rules in the local security policy some time ago when there was fuss in the news about the cryptolocker virus. They looked a lot like the rules above (I found that screenshot online as I can't take one myself, read on..)

Today I was installing some software that wanted access to the areas I restricted. I temporarily disabled the rules, then re-enabled them. Being a dumbass I also set the top two rules (which are Windows default rules) to Disallowed!

Over the following 10 minutes various aspects of my PC stopped working, telling me that the local security policy prevented access. I couldn't even get into the Control Panel or the Local Security Policy screen to change it back, once I realised what I had done. I rebooted the machine - it won't come back up

I've tried a system restore by booting from the installer on USB (which did not work, it grumbled that it could not restore due a file locked by anti-virus) so I think I've got two options:


Refresh my system using the Windows 8 tools - but I suspect that might leave the LSP rules in place, as it retains my settings & preferences.Hand edit the registry to correct the settings.
Option 2 is looking best, I can get into RegEdit from the recovery console, but I'm not sure what to edit and what to set it to? Could anyone kindly advise?

This is on Windows 8.1 Pro if that helps.

Thank... Read more

A:Can I change local security policy entries from RegEdit?

Hi again,

So I've found that default software policy rules should look like this:





%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%,Path,Unrestricted,
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%,Path,Unrestricted



and might be located in the registry here?






Software restriction policies are stored in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer or in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows.



Is anyone able to confirm what a default / working set of registry values should be set to please?

Thanks again,
Chris

Read other 1 answers
RELEVANCY SCORE 46

IS THIS A 'FALSE POSITIVE' AND THEREFORE SAFE OR IS IT DANGEROUS?
 
Identified as a potentially unwanted program (pup) and rated threat level 5/10 by SuperAntiSpyware - who are still invesigating whether this is harmful - I have read internet postings which suggest that: 
 
the pup may have arisen from running AVG PC Tune Up - which I did indeed use before running a scan - and 
 
removing these entries caused problems with some computers. 
 
Last time I scanned my computer there were 27 entries, today the number has grown to 41. 
 
Free versions of AVG2013, Spybot 1.6.2 and Malwarebytes have not detected this as a pup. 
 
What is "security.hijack imagefile execution"? 
 
Has anyone found this on their computer? 
 
If so what action did you take, and were there any problems with your PC after removing it?

A:SuperAntiSpyware has detected 41 security.hijack imagefile execution entries

UPDATE: What a difference one week makes
 
When I ran SuperAntiSpyware today it did not identify any security.hijack entries, so I am guessing they have determined this is not a virus or malware and does not pose a risk.
 
IS THIS A 'FALSE POSITIVE' AND THEREFORE SAFE OR IS IT DANGEROUS?
 
Identified as a potentially unwanted program (pup) and rated threat level 5/10 by SuperAntiSpyware - who are still invesigating whether this is harmful - I have read internet postings which suggest that: 
 
the pup may have arisen from running AVG PC Tune Up - which I did indeed use before running a scan - and 
 
removing these entries caused problems with some computers. 
 
Last time I scanned my computer there were 27 entries, today the number has grown to 41. 
 
Free versions of AVG2013, Spybot 1.6.2 and Malwarebytes have not detected this as a pup. 
 
What is "security.hijack imagefile execution"? 
 
Has anyone found this on their computer? 
 
If so what action did you take, and were there any problems with your PC after removing it?

Read other 1 answers
RELEVANCY SCORE 45.6

I have finally had a bellyfull of Norton. Using Windows 2000 Professional.

Add/Remove Programs did not fully remove the Norton Registry entries. Contacted Norton and downloaded the required utility to completely remove the product.

When I do a Start>Run>Regedit and Find "Norton" I still have registry entries in LEGACY_NAVAP (etc, etc) that I cannot delete.

When I contacted Symantec, they told me that I should start in Safe node to delete them - which I did, without success.

McAfee are telling me that these entries are preventing me from downloading the McAfee product.

I know that a further call to Symantec will result in them telling me the only recourse is a backup and reformat (I have been there before with them).

Do you any of you have any suggestions - if so - much appreciated in advance.

Steve
 

A:Unsinstalling Norton Internet Security 2004 - Legacy Registry Entries

Hi ,if you go to the top of this page, and click on SEARCH under search forum type in
uninstalling symantec,you will see many referencies to removing Norton/Symantec..
good luck..
 

Read other 1 answers
RELEVANCY SCORE 44

how do i access the event log on nt server?
 

A:Event and security log

When you are logged in as an Administrator it should be on the start menu, under Administrative tools, and is called Event Viewer. There are three logs to view, Security, Applications and System.
 

Read other 1 answers
RELEVANCY SCORE 44

Hello all,

I have a Win XP SP3 virtual machine running in a data center, hooked on the net.
Someone is trying to get access to the machine by trying every user/password combination (see an example below, there are thousands of the same, with different accounts)

I feel relatively safe as the machine has been hardened.
On the password side, there is only one valid account, admin has been renamed, guest is disabled and the only valid password is not guessable (20+ chars, upper/lower/special char/figures).

However, I want to identify that guy trying to hack my machine.
It looks like the IP of the remote station (attacker) cannot be added to the event log.
Is there any easy way to get hold of this information ?

Cheers

Logon Process Name: Winlogon\MSGina"
29/01/2011,22:16:08,Security,Failure Audit,Logon/Logoff ,529,NT AUTHORITY\SYSTEM,WAC-WKS-PENT-01,Logon Failure:
Reason: Unknown user name or bad password
User Name: root
Domain: WAC-WKS-PENT-01
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WAC-WKS-PENT-01
PS: not sure if this fits best in "OS" or in "Security", please feel free to move my post as required
 

A:How to get the IP in the security event log ??

Put something like Wireshark between that computer and the iternet.
 

Read other 2 answers
RELEVANCY SCORE 44

Hi,
how can i generate a list of file permissions that an NT group has on a
folder?
Thanks
 

Read other answers
RELEVANCY SCORE 44

1st post so no snickering! LOL

W2k, SP4, IE 6, log's into local account on PC.

I want to see if this user went to yahoo mail and logged in under a specific username (which I have and it is a yahoo account). I need to see if they did or didn't and the time. Anything able to do this with index.dat/stored files or should this be in the security section.

Thanks in adavnce.

Read other answers
RELEVANCY SCORE 43.6

Hey, I hope I understood the directions and I'm doing this correctly. If it's wrong I apologize, I was a bit confused. Just bought a computer from a friend and it's absolutely infested with viruses and spyware. It was basically unusable, constantly freezing and taking many minutes to open and use programs. So I dl'd and ran CCleaner, AVG, malwarebytes, CWShredder, and super anti-spyware (spybot and ad-aware wouldn't work). Also deleted a bunch of obvious things off of the startup list. That got the computer working again, albeit very slowly. Ran an HJT through Help2Go and through an HJT reader and got some more stuff off, but the HJT reader found a bunch of entries that could be fixed if identified. Tried to google the entries, but it wasn't helpful. I need assistance from an expert. So, I'm posting a log in hopes someone can help. I've backed up the system and have a firewall enabled. Also, If anybody could help me finish off deleting startup entries that would be much appreciated. I would really like to eliminate every non-essential starting entry. I included an HJT log for thoroughness. Sorry if I wasn't supposed to do that. Thank you thank you thank you to anybody that can help me.DDS LogMicrosoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.10 [GMT -8:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:... Read more

A:Help removing unidentified entries (malware?) and startup entries

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

Read other 22 answers