none
Events duplication (in event viewer) after successful logon (in event viewer). RRS feed

  • Question

  • Hello.

    Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon. 

    For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

    The same situation for "Unlock"

    I want to show you these events in logs:

    In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

    FIRST EVENT

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2/14/2017 1:35:30 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      mpxxx.xxx.xxx.net
    Description:
    An account was successfully logged on.

    Subject:
    Security ID: SYSTEM
    Account Name: MPxxx$
    Account Domain: KIV
    Logon ID: 0x3E7

    Logon Information:
    Logon Type: 7
    Restricted Admin Mode: -
    Virtual Account: No
    Elevated Token: Yes

    Impersonation Level: Impersonation

    New Logon:
    Security ID: UNIVERSE\mpxxx
    Account Name: mpxxx
    Account Domain: UNIVERSE
    Logon ID: 0x3D5986
    Linked Logon ID: 0x3D8CF3
    Network Account Name: -
    Network Account Domain: -
    Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

    Process Information:
    Process ID: 0x2cc
    Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Workstation Name: MPxxx
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Negotiat
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    SECOND DUPLICATED EVENT:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2/14/2017 1:35:30 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      mpxxx.xxx.xxx.net
    Description:
    An account was successfully logged on.

    Subject:
    Security ID: SYSTEM
    Account Name: MPxxx$
    Account Domain: KIV
    Logon ID: 0x3E7

    Logon Information:
    Logon Type: 7
    Restricted Admin Mode: -
    Virtual Account: No
    Elevated Token: No

    Impersonation Level: Impersonation

    New Logon:
    Security ID: UNIVERSE\mpxxx
    Account Name: mpxxx
    Account Domain: UNIVERSE
    Logon ID: 0x3D8CF3
    Linked Logon ID: 0x3D5986
    Network Account Name: -
    Network Account Domain: -
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x2cc
    Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Workstation Name: MPxxx
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Negotiat
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    The only difference is in "Elevated Token: and Logon GUID:" portion of output 

    Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

    Thank you.  



    Tuesday, February 14, 2017 11:53 AM

All replies

  • wrong forum. this forum is for helping people in designing software and you are not writing one. 

    go to answers.microsoft.com and ask in the windows forums, or ask in technet's windows forums if your machine is domain joined. 



    Visual C++ MVP

    Tuesday, February 14, 2017 1:14 PM
  • please contact Microsoft.
    Wednesday, February 15, 2017 4:17 AM