Events duplication (in event viewer) after successful logon - Microsoft Community


can please explain me why see several (looks duplicated) event in event viewer after successful logon. 

for example after reboot (win 10 workstation, no domain, no specific configuration) see in security log 2 totally identical logs event 4624, type 2

the same situation "unlock"

i want show these events in logs:

in example pc in domain, , reproducing windows unlock (logoff - logon):

first event

log name:      security
source:        microsoft-windows-security-auditing
date:          2/14/2017 1:35:30 pm
event id:      4624
task category: logon
level:         information
keywords:      audit success
user:          n/a
computer:      mpxxx.xxx.xxx.net
description:
account logged on.

subject:
security id:  system
account name:  mpxxx$
account domain: kiv
logon id:  0x3e7

logon information:
logon type:  7
restricted admin mode: -
virtual account: no
elevated token: yes

impersonation level: impersonation

new logon:
security id:  universe\mpxxx
account name:  mpxxx
account domain: universe
logon id:  0x3d5986
linked logon id: 0x3d8cf3
network account name: -
network account domain: -
logon guid:  {a97eb034-e1a9-beba-9e13-0376df13c092}

process information:
process id:  0x2cc
process name:  c:\windows\system32\lsass.exe

network information:
workstation name: mpxxx
source network address: -
source port:  -

detailed authentication information:
logon process: negotiat
authentication package: negotiate
transited services: -
package name (ntlm only): -
key length:  0

second duplicated event:

log name:      security
source:        microsoft-windows-security-auditing
date:          2/14/2017 1:35:30 pm
event id:      4624
task category: logon
level:         information
keywords:      audit success
user:          n/a
computer:      mpxxx.xxx.xxx.net
description:
account logged on.

subject:
security id:  system
account name:  mpxxx$
account domain: kiv
logon id:  0x3e7

logon information:
logon type:  7
restricted admin mode: -
virtual account: no
elevated token: no

impersonation level: impersonation

new logon:
security id:  universe\mpxxx
account name:  mpxxx
account domain: universe
logon id:  0x3d8cf3
linked logon id: 0x3d5986
network account name: -
network account domain: -
logon guid:  {00000000-0000-0000-0000-000000000000}

process information:
process id:  0x2cc
process name:  c:\windows\system32\lsass.exe

network information:
workstation name: mpxxx
source network address: -
source port:  -

detailed authentication information:
logon process: negotiat
authentication package: negotiate
transited services: -
package name (ntlm only): -
key length:  0

the difference in "elevated token: , logon guid:" portion of output 

dear ms guru please give me ideas why duplication happens. important because planning send events third party security system , duplication makes lot of unnecessary noise

thank you.  

question outside scope of site (for consumers) , sure best answer should asked either on technet (for pro's) or msdn (for developers)

technet
https://social.technet.microsoft.com/forums/en-us/home

msdn

https://social.msdn.microsoft.com/forums/en-us/home

if give link new thread can point resources


Windows / Windows 10 / Security & privacy / PC



-

Comments

Post a Comment

Popular posts from this blog

$AV_ASW folder - Microsoft Community

dear all, lately i've found folder in both c: , d:, named $av_asw. inside there vault folder , within folder, db file can't open notepad or ms access. idea on this? i've tried googling gave me avast instead, however, i've used avast more 3 years now, no such file exist before. virus or bug or malware or whatever? please advice. thanks! what name of file? sounds avasts vault put potentially unwanted or infected files prevent them doing harm. (quarantine) open avast , quarantined items, if know file safe, can recover or can empty quarantine vault , avast remove file. Windows / Windows 10 / Security & privacy / PC
Read more

WTouch_Message_Window app running in the background is preventing - Microsoft Community

everytime restart or turn off computer message appears in front of me, since happened wacom tablet's been acting out , cant find driver it...idk if keep affecting performance, need closing off... since it's running in background i didnt know app there or anything, , started 2 months ago...just tampered tablet , need work done urgent... d:  thanks  ***post moved moderator appropriate forum category.*** everytime restart or turn off computer message appears in front of me, since happened wacom tablet's been acting out , cant find driver it...idk if keep affecting performance, need closing off... since it's running in background i didnt know app there or anything, , started 2 months ago...just tampered tablet , need work done urgent... d:  thanks  hi michelle, to better assist issue, have tried uninstalling driver of wacom tablet computer? to eliminate software caus...
Read more

Windows error No Certificate Available - Microsoft Community

running windows 10 on new dell computer. when trying download software purchased dell stopped windows security error dfsvc says "no certificate available. no certificates meet application criteria. click ok continue or cancel." download stopped. have spoken dell support via email several times , sent them screenshots of error details have no solutions. has else tried download software dell , had issue? have downloaded recent .net framework. had similar problems?  hi, link might help:  https://social.msdn.microsoft.com/forums/en-us/d858d189-6d14-4c8d-809d-d6c841dd8866/using-domain-certificate-for-app-signing?forum=toolsforwinapps&ppud=4 Windows / Windows 10 / Security & privacy / PC
Read more