Level Date and Time Source Event ID Task Category
Information 07/04/2015 22:42:30 Microsoft-Windows-Kernel-General 13 None The operating system is shutting down at system time 2015-04-07T21:42:30.558836200Z.
Information 07/04/2015 22:42:30 Microsoft-Windows-Kernel-Power 109 (103) The kernel power manager has initiated a shutdown transition.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Plug and Play service entered the stopped state.
Information 07/04/2015 22:42:29 Microsoft-Windows-UserPnp 20010 (7010) "One or more of the Plug and Play service's subsystems has changed state.
PlugPlay install subsystem enabled: 'false'
PlugPlay caching subsystem enabled: 'false'
"
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Search service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Function Discovery Resource Publication service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Cryptographic Services service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Modules Installer service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Security Center service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The SSDP Discovery service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Management Instrumentation service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Desktop Window Manager Session Manager service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Distributed Link Tracking Client service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Font Cache Service service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The UPnP Device Host service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Peer Name Resolution Protocol service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The User Profile Service service entered the stopped state.
Information 07/04/2015 22:42:29 Microsoft-Windows-User Profiles Service 1532 None "The User Profile Service has stopped.
"
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Windows Event Log service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Power service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The PnkBstrA service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Peer Networking Identity Manager service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Disk Defragmenter service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The DHCP Client service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Diagnostic Service Host service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Human Interface Device Access service entered the stopped state.
Information 07/04/2015 22:42:29 Microsoft-Windows-Dhcp-Client 50037 Service State Event DHCPv4 client service is stopped. ShutDown Flag value is 1
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Diagnostic Policy Service service entered the stopped state.
Information 07/04/2015 22:42:29 Microsoft-Windows-DHCPv6-Client 51047 Service State Event DHCPv6 client service is stopped. ShutDown Flag value is 1
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Diagnostic System Host service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Microsoft Office ClickToRun Service service entered the stopped state.
Information 07/04/2015 22:42:29 Microsoft-Windows-Eventlog 1100 Service shutdown The event logging service has shut down.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Bonjour Service service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The AMD External Events Utility service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X64 service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the stopped state.
Information 07/04/2015 22:42:29 Service Control Manager 7036 None The AMD FUEL Service service entered the stopped state.
Information 07/04/2015 22:42:28 Service Control Manager 7036 None The Group Policy Client service entered the stopped state.
Information 07/04/2015 22:42:28 Service Control Manager 7036 None The Windows Update service entered the stopped state.
Information 07/04/2015 22:42:28 Microsoft-Windows-WindowsUpdateClient 27 Windows Update Agent Automatic Updates is now paused.
Information 07/04/2015 22:42:28 Service Control Manager 7036 None The Windows Modules Installer service entered the running state.
Information 07/04/2015 22:42:29 EventLog 6006 None The Event log service was stopped.
Information 07/04/2015 22:42:29 Bonjour Service 100 None Service stopped (0)
Information 07/04/2015 22:42:28 Service Control Manager 7036 None The Windows Media Player Network Sharing Service service entered the stopped state.
Information 07/04/2015 22:42:28 Service Control Manager 7036 None The UPnP Device Host service entered the running state.
Information 07/04/2015 22:42:28 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:42:28 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:42:28 Microsoft-Windows-Winlogon 7002 (1102) User Logoff Notification for Customer Experience Improvement Program
Information 07/04/2015 22:42:28 Microsoft-Windows-Security-Auditing 4647 Logoff "User initiated logoff:
Subject:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x35737
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
Information 07/04/2015 22:42:28 Microsoft-Windows-WMPNSS-Service 14205 None Service 'WMPNetworkSvc' stopped.
Information 07/04/2015 22:42:28 USER32 1074 None "The process C:\Windows\system32\winlogon.exe (STE-PC) has initiated the power off of computer STE-PC on behalf of user Ste-PC\Ste for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off
Comment: "
Information 07/04/2015 22:42:28 Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Information 07/04/2015 22:42:28 Desktop Window Manager 9009 None The Desktop Window Manager has exited with code (0x40010004)
Information 07/04/2015 22:42:25 USER32 1074 None "The process Explorer.EXE has initiated the power off of computer STE-PC on behalf of user Ste-PC\Ste for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off
Comment: "
Information 07/04/2015 22:39:24 Service Control Manager 7036 None The WMI Performance Adapter service entered the stopped state.
Information 07/04/2015 22:39:24 Microsoft-Windows-LoadPerf 1000 None Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Information 07/04/2015 22:39:24 Microsoft-Windows-LoadPerf 1001 None Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Information 07/04/2015 22:38:47 Service Control Manager 7036 None The Disk Defragmenter service entered the running state.
Information 07/04/2015 22:38:46 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:38:46 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Error 07/04/2015 22:35:02 MouseKeyboardCenter 0 None "Unknown Node:#text -->
"
Information 07/04/2015 22:33:25 Service Control Manager 7036 None The WMI Performance Adapter service entered the running state.
Information 07/04/2015 22:33:25 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:33:25 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:33:24 Service Control Manager 7036 None The WMI Performance Adapter service entered the stopped state.
Information 07/04/2015 22:32:37 Service Control Manager 7036 None The Security Center service entered the running state.
Information 07/04/2015 22:32:37 Service Control Manager 7036 None The Google Update Service (gupdate) service entered the stopped state.
Information 07/04/2015 22:32:37 Service Control Manager 7036 None The Google Update Service (gupdate) service entered the running state.
Information 07/04/2015 22:32:37 SecurityCenter 1 None The Windows Security Center Service has started.
Information 07/04/2015 22:32:37 gupdate 0 None "The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Service stopped
"
Information 07/04/2015 22:32:36 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X64 service entered the running state.
Information 07/04/2015 22:32:36 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the running state.
Information 07/04/2015 22:32:36 Service Control Manager 7036 None The Portable Device Enumerator Service service entered the stopped state.
Information 07/04/2015 22:32:36 Service Control Manager 7036 None The Background Intelligent Transfer Service service entered the running state.
Information 07/04/2015 22:31:44 Microsoft-Windows-Application-Experience 206 None The Program Compatibility Assistant service successfully performed phase two initialization.
Information 07/04/2015 22:31:20 Service Control Manager 7036 None The WMI Performance Adapter service entered the running state.
Information 07/04/2015 22:31:20 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:31:20 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:31:19 Service Control Manager 7045 None "A service was installed in the system.
Service Name: speccy
Service File Name: C:\Users\Ste\AppData\Local\Temp\27d451b5-4558-4294-89d1-4a613ba21b73
Service Type: kernel mode driver
Service Start Type: demand start
Service Account: "
Information 07/04/2015 22:31:19 Service Control Manager 7036 None The Windows Update service entered the running state.
Information 07/04/2015 22:31:17 Service Control Manager 7036 None The Peer Name Resolution Protocol service entered the running state.
Information 07/04/2015 22:31:17 Service Control Manager 7036 None The Peer Networking Identity Manager service entered the running state.
Information 07/04/2015 22:31:17 Service Control Manager 7045 None "A service was installed in the system.
Service Name: cpuz138
Service File Name: C:\Users\Ste\AppData\Local\Temp\\cpuz138\cpuz138_x64.sys
Service Type: kernel mode driver
Service Start Type: demand start
Service Account: "
Information 07/04/2015 22:30:52 Service Control Manager 7036 None The AODService service entered the stopped state.
Information 07/04/2015 22:30:48 Service Control Manager 7036 None The Computer Browser service entered the stopped state.
Information 07/04/2015 22:30:38 Service Control Manager 7036 None The Windows Font Cache Service service entered the running state.
Information 07/04/2015 22:30:37 Service Control Manager 7036 None The SSDP Discovery service entered the running state.
Information 07/04/2015 22:30:37 Service Control Manager 7036 None The Computer Browser service entered the running state.
Information 07/04/2015 22:30:37 Service Control Manager 7036 None The Application Experience service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The HomeGroup Provider service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Function Discovery Provider Host service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Windows Media Player Network Sharing Service service entered the running state.
Information 07/04/2015 22:30:36 Microsoft-Windows-WMPNSS-Service 14204 None Service 'WMPNetworkSvc' started.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Windows Search service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Portable Device Enumerator Service service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Diagnostic System Host service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Network List Service service entered the running state.
Information 07/04/2015 22:30:36 Service Control Manager 7036 None The Human Interface Device Access service entered the running state.
Information 07/04/2015 22:30:36 Microsoft-Windows-WMI 5617 None Windows Management Instrumentation Service subsystems initialized successfully
Information 07/04/2015 22:30:36 Microsoft-Windows-Search 1003 Search service The Windows Search Service started.
Information 07/04/2015 22:30:36 ESENT 302 Logging/Recovery Windows (3088) Windows: The database engine has successfully completed recovery steps.
Information 07/04/2015 22:30:36 ESENT 301 Logging/Recovery Windows (3088) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.
Information 07/04/2015 22:30:36 ESENT 300 Logging/Recovery Windows (3088) Windows: The database engine is initiating recovery steps.
Information 07/04/2015 22:30:36 ESENT 102 General Windows (3088) Windows: The database engine (6.01.7601.0000) started a new instance (0).
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Network Connections service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Diagnostic Service Host service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Information 07/04/2015 22:30:35 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:35 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Server service entered the running state.
Information 07/04/2015 22:30:35 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x70000
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Warning 07/04/2015 22:30:35 Microsoft-Windows-Wininit 11 None Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The IP Helper service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Windows Live ID Sign-in Assistant service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Function Discovery Resource Publication service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Windows Management Instrumentation service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Distributed Link Tracking Client service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The PnkBstrA service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Microsoft Office ClickToRun Service service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Network Location Awareness service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Program Compatibility Assistant Service service entered the running state.
Information 07/04/2015 22:30:35 Microsoft-Windows-Application-Experience 201 None The Program Compatibility Assistant service started successfully.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Diagnostic Policy Service service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Bonjour Service service entered the running state.
Information 07/04/2015 22:30:35 Service Control Manager 7036 None The Apple Mobile Device service entered the running state.
Information 07/04/2015 22:30:35 Microsoft-Windows-WMI 5611 None The Windows Management Instrumentation service has detected an inconsistent system shutdown.
Information 07/04/2015 22:30:35 Microsoft-Windows-WMI 5615 None Windows Management Instrumentation Service started sucessfully
Information 07/04/2015 22:30:35 Bonjour Service 100 None Service started
Information 07/04/2015 22:30:35 Bonjour Service 100 None Service initialized
Information 07/04/2015 22:30:35 Bonjour Service 100 None Service initializing
Information 07/04/2015 22:30:34 Service Control Manager 7036 None The AODService service entered the running state.
Information 07/04/2015 22:30:29 Service Control Manager 7036 None The AMD FUEL Service service entered the running state.
Information 07/04/2015 22:30:28 Service Control Manager 7036 None The ACP User Service service entered the running state.
Information 07/04/2015 22:30:28 Service Control Manager 7036 None The AMD FUEL Service service entered the running state.
Information 07/04/2015 22:30:28 Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
Information 07/04/2015 22:30:28 Service Control Manager 7036 None The Workstation service entered the running state.
Information 07/04/2015 22:30:28 Service Control Manager 7036 None The Windows Firewall service entered the running state.
Information 07/04/2015 22:30:28 Service Control Manager 7036 None The Base Filtering Engine service entered the running state.
Information 07/04/2015 22:30:28 Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
Information 07/04/2015 22:30:27 Microsoft-Windows-User Profiles Service 1531 None "The User Profile Service has started successfully.
"
Information 07/04/2015 22:30:28 Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Information 07/04/2015 22:30:28 Microsoft-Windows-Winlogon 4101 None Windows license validated.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Print Spooler service entered the running state.
Information 07/04/2015 22:30:27 Microsoft-Windows-Winlogon 7001 (1101) User Logon Notification for Customer Experience Improvement Program
Information 07/04/2015 22:30:27 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x35737
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:27 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x35737
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x270
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: STE-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:27 Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Ste
Account Domain: Ste-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x270
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information 07/04/2015 22:30:27 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:27 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Task Scheduler service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Shell Hardware Detection service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The DNS Client service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The DHCP Client service entered the running state.
Information 07/04/2015 22:30:27 Microsoft-Windows-DHCPv6-Client 51046 Service State Event DHCPv6 client service is started
Information 07/04/2015 22:30:27 Microsoft-Windows-Dhcp-Client 50036 Service State Event DHCPv4 client service is started
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The TCP/IP NetBIOS Helper service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Network Store Interface Service service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Security Accounts Manager service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Desktop Window Manager Session Manager service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The System Event Notification Service service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The COM+ Event System service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Offline Files service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The User Profile Service service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Group Policy Client service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Themes service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Creative Audio Service service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Windows Audio service entered the running state.
Information 07/04/2015 22:30:27 Service Control Manager 7036 None The Windows Audio Endpoint Builder service entered the running state.
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4624 Logon "The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
EV_RenderedValue_0.00
STE-PC$
WORKGROUP
999
EV_RenderedValue_4.00
SYSTEM
NT AUTHORITY
999
5
Advapi
Negotiate
EV_RenderedValue_12.00
-
-
0
592
C:\Windows\System32\services.exe
-
-
The handle is invalid
"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: NETWORK SERVICE
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: NETWORK SERVICE
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:30:26 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:25 Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0xe456"
Information 07/04/2015 22:30:25 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:30:25 Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
Error 07/04/2015 22:30:27 Microsoft-Windows-Eventlog 1101 Event processing Audit events have been dropped by the transport. 0
Information 07/04/2015 22:30:27 Microsoft-Windows-EventSystem 4625 None The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Multimedia Class Scheduler service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Windows Event Log service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The AMD External Events Utility service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Cryptographic Services service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The COMODO Internet Security Helper Service service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Remote Procedure Call (RPC) service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The RPC Endpoint Mapper service entered the running state.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The DCOM Server Process Launcher service entered the running state.
Information 07/04/2015 22:30:26 Microsoft-Windows-FilterManager 6 None File System Filter 'luafv' (6.1, 2009-07-14T00:26:13.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Power service entered the running state.
Information 07/04/2015 22:30:26 Microsoft-Windows-UserPnp 20010 (7010) "One or more of the Plug and Play service's subsystems has changed state.
PlugPlay install subsystem enabled: 'true'
PlugPlay caching subsystem enabled: 'true'
"
Information 07/04/2015 22:30:26 Service Control Manager 7036 None The Plug and Play service entered the running state.
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 5 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 4 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 3 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 2 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 1 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:22 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 0 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:30:26 EventLog 6013 None The system uptime is 12 seconds.
Information 07/04/2015 22:30:26 EventLog 6005 None The Event log service was started.
Information 07/04/2015 22:30:26 EventLog 6009 None Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free.
Error 07/04/2015 22:30:26 EventLog 6008 None The previous system shutdown at 22:23:59 on 07/04/2015 was unexpected.
Critical 07/04/2015 22:30:21 Microsoft-Windows-Kernel-Power 41 (63) The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Information 07/04/2015 22:30:21 Microsoft-Windows-FilterManager 6 None File System Filter 'cmdGuard' (6.1, 2015-01-30T12:47:15.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:30:14 Microsoft-Windows-FilterManager 6 None File System Filter 'FileInfo' (6.1, 2009-07-14T00:34:25.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:30:14 Microsoft-Windows-Kernel-General 12 None The operating system started at system time 2015-04-07T21:30:13.860398900Z.
Information 07/04/2015 22:23:09 Service Control Manager 7036 None The Security Center service entered the running state.
Information 07/04/2015 22:23:09 Service Control Manager 7036 None The Google Update Service (gupdate) service entered the stopped state.
Information 07/04/2015 22:23:09 Service Control Manager 7036 None The Google Update Service (gupdate) service entered the running state.
Information 07/04/2015 22:23:09 SecurityCenter 1 None The Windows Security Center Service has started.
Information 07/04/2015 22:23:09 gupdate 0 None "The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Service stopped
"
Information 07/04/2015 22:23:08 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X64 service entered the running state.
Information 07/04/2015 22:23:07 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the running state.
Information 07/04/2015 22:23:07 Service Control Manager 7036 None The Portable Device Enumerator Service service entered the stopped state.
Information 07/04/2015 22:23:07 Service Control Manager 7036 None The Background Intelligent Transfer Service service entered the running state.
Information 07/04/2015 22:22:30 Service Control Manager 7036 None The WMI Performance Adapter service entered the running state.
Information 07/04/2015 22:22:30 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:22:30 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:22:29 Service Control Manager 7045 None "A service was installed in the system.
Service Name: speccy
Service File Name: C:\Users\Ste\AppData\Local\Temp\1f33f957-617f-4942-b7c3-9f5271f42717
Service Type: kernel mode driver
Service Start Type: demand start
Service Account: "
Information 07/04/2015 22:22:29 Service Control Manager 7036 None The Windows Update service entered the running state.
Information 07/04/2015 22:22:27 Service Control Manager 7036 None The Peer Name Resolution Protocol service entered the running state.
Information 07/04/2015 22:22:27 Service Control Manager 7036 None The Peer Networking Identity Manager service entered the running state.
Information 07/04/2015 22:21:27 Service Control Manager 7036 None The AODService service entered the stopped state.
Information 07/04/2015 22:21:19 Service Control Manager 7036 None The Computer Browser service entered the stopped state.
Information 07/04/2015 22:21:10 Service Control Manager 7036 None The Windows Font Cache Service service entered the running state.
Information 07/04/2015 22:21:09 Service Control Manager 7036 None The SSDP Discovery service entered the running state.
Information 07/04/2015 22:21:09 Service Control Manager 7036 None The HomeGroup Provider service entered the running state.
Information 07/04/2015 22:21:09 Service Control Manager 7036 None The Function Discovery Provider Host service entered the running state.
Information 07/04/2015 22:21:08 Service Control Manager 7036 None The Windows Media Player Network Sharing Service service entered the running state.
Information 07/04/2015 22:21:08 Service Control Manager 7036 None The Computer Browser service entered the running state.
Information 07/04/2015 22:21:08 Service Control Manager 7036 None The Application Experience service entered the running state.
Information 07/04/2015 22:21:08 Microsoft-Windows-WMPNSS-Service 14204 None Service 'WMPNetworkSvc' started.
Information 07/04/2015 22:21:08 Service Control Manager 7036 None The Network Connections service entered the running state.
Warning 07/04/2015 22:21:08 Microsoft-Windows-Wininit 11 None Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The AMD FUEL Service service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Windows Search service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Portable Device Enumerator Service service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Network List Service service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Diagnostic System Host service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Human Interface Device Access service entered the running state.
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Diagnostic Service Host service entered the running state.
Information 07/04/2015 22:21:07 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:21:07 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:21:07 Service Control Manager 7036 None The Server service entered the running state.
Information 07/04/2015 22:21:07 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x6df0e
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:21:07 Microsoft-Windows-Search 1003 Search service The Windows Search Service started.
Information 07/04/2015 22:21:07 ESENT 302 Logging/Recovery Windows (3080) Windows: The database engine has successfully completed recovery steps.
Information 07/04/2015 22:21:07 ESENT 301 Logging/Recovery Windows (3080) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.
Information 07/04/2015 22:21:07 ESENT 301 Logging/Recovery Windows (3080) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00285.log.
Information 07/04/2015 22:21:07 ESENT 301 Logging/Recovery Windows (3080) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00284.log.
Information 07/04/2015 22:21:07 ESENT 301 Logging/Recovery Windows (3080) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00283.log.
Information 07/04/2015 22:21:07 ESENT 300 Logging/Recovery Windows (3080) Windows: The database engine is initiating recovery steps.
Information 07/04/2015 22:21:07 ESENT 102 General Windows (3080) Windows: The database engine (6.01.7601.0000) started a new instance (0).
Information 07/04/2015 22:21:07 Microsoft-Windows-WMI 5617 None Windows Management Instrumentation Service subsystems initialized successfully
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The IP Helper service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Windows Live ID Sign-in Assistant service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Windows Management Instrumentation service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Distributed Link Tracking Client service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Function Discovery Resource Publication service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The PnkBstrA service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Microsoft Office ClickToRun Service service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Network Location Awareness service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Program Compatibility Assistant Service service entered the running state.
Information 07/04/2015 22:21:06 Microsoft-Windows-Application-Experience 201 None The Program Compatibility Assistant service started successfully.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Diagnostic Policy Service service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Bonjour Service service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The Apple Mobile Device service entered the running state.
Information 07/04/2015 22:21:06 Service Control Manager 7036 None The AODService service entered the running state.
Information 07/04/2015 22:21:06 Microsoft-Windows-WMI 5615 None Windows Management Instrumentation Service started sucessfully
Information 07/04/2015 22:21:06 Bonjour Service 100 None Service started
Information 07/04/2015 22:21:06 Bonjour Service 100 None Service initialized
Information 07/04/2015 22:21:06 Bonjour Service 100 None Service initializing
Information 07/04/2015 22:21:01 Service Control Manager 7036 None The ACP User Service service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The AMD FUEL Service service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall service started successfully.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Workstation service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Windows Firewall service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver started successfully.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Base Filtering Engine service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Print Spooler service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-Winlogon 7001 (1101) User Logon Notification for Customer Experience Improvement Program
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x35702
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x35702
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x270
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: STE-PC
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Ste
Account Domain: Ste-PC
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x270
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:21:00 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Task Scheduler service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Shell Hardware Detection service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The DNS Client service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The DHCP Client service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-DHCPv6-Client 51046 Service State Event DHCPv6 client service is started
Information 07/04/2015 22:21:00 Microsoft-Windows-Dhcp-Client 50036 Service State Event DHCPv4 client service is started
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The TCP/IP NetBIOS Helper service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Network Store Interface Service service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Security Accounts Manager service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Desktop Window Manager Session Manager service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The System Event Notification Service service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The COM+ Event System service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Offline Files service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The User Profile Service service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Group Policy Client service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-User Profiles Service 1531 None "The User Profile Service has started successfully.
"
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Themes service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Creative Audio Service service entered the running state.
Information 07/04/2015 22:21:00 Service Control Manager 7036 None The Windows Audio service entered the running state.
Information 07/04/2015 22:21:00 Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Information 07/04/2015 22:21:00 Microsoft-Windows-Winlogon 4101 None Windows license validated.
Information 07/04/2015 22:21:00 Microsoft-Windows-EventSystem 4625 None The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The Windows Audio Endpoint Builder service entered the running state.
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The Multimedia Class Scheduler service entered the running state.
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The Windows Event Log service entered the running state.
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The AMD External Events Utility service entered the running state.
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:20:59 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The Cryptographic Services service entered the running state.
Information 07/04/2015 22:20:59 Service Control Manager 7036 None The COMODO Internet Security Helper Service service entered the running state.
Information 07/04/2015 22:20:58 Service Control Manager 7036 None The Remote Procedure Call (RPC) service entered the running state.
Information 07/04/2015 22:20:58 Service Control Manager 7036 None The RPC Endpoint Mapper service entered the running state.
Information 07/04/2015 22:20:58 Service Control Manager 7036 None The DCOM Server Process Launcher service entered the running state.
Information 07/04/2015 22:20:58 Microsoft-Windows-FilterManager 6 None File System Filter 'luafv' (6.1, 2009-07-14T00:26:13.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:20:58 Service Control Manager 7036 None The Power service entered the running state.
Information 07/04/2015 22:20:58 Microsoft-Windows-UserPnp 20010 (7010) "One or more of the Plug and Play service's subsystems has changed state.
PlugPlay install subsystem enabled: 'true'
PlugPlay caching subsystem enabled: 'true'
"
Information 07/04/2015 22:20:58 Service Control Manager 7036 None The Plug and Play service entered the running state.
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 5 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 4 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 3 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 2 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 1 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:55 Microsoft-Windows-Kernel-Processor-Power 26 (4) "Processor 0 in group 0 exposes the following:
1 idle state(s)
0 performance state(s)
0 throttle state(s)"
Information 07/04/2015 22:20:53 Microsoft-Windows-FilterManager 6 None File System Filter 'cmdGuard' (6.1, 2015-01-30T12:47:15.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:20:47 Microsoft-Windows-FilterManager 6 None File System Filter 'FileInfo' (6.1, 2009-07-14T00:34:25.000000000Z) has successfully loaded and registered with Filter Manager.
Information 07/04/2015 22:20:47 Microsoft-Windows-Kernel-General 12 None The operating system started at system time 2015-04-07T21:20:46.860398900Z.
Information 07/04/2015 22:16:20 Microsoft-Windows-Kernel-General 13 None The operating system is shutting down at system time 2015-04-07T21:16:20.232402500Z.
Information 07/04/2015 22:16:19 Microsoft-Windows-Kernel-Power 109 (103) The kernel power manager has initiated a shutdown transition.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The Windows Search service entered the stopped state.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The SSDP Discovery service entered the stopped state.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The Windows Media Player Network Sharing Service service entered the stopped state.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the stopped state.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The Software Protection service entered the stopped state.
Information 07/04/2015 22:16:19 Service Control Manager 7036 None The Function Discovery Resource Publication service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Volume Shadow Copy service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Cryptographic Services service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Security Center service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Modules Installer service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Event Log service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Diagnostic Policy Service service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Management Instrumentation service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Microsoft Software Shadow Copy Provider service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Distributed Link Tracking Client service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Time service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The SPP Notification Service service entered the stopped state.
Information 07/04/2015 22:16:18 Microsoft-Windows-Kernel-General 1 None The system time has changed to 2015-04-07T21:16:18.844000000Z from 2015-04-07T21:16:18.844340700Z.
Information 07/04/2015 22:20:59 EventLog 6013 None The system uptime is 12 seconds.
Information 07/04/2015 22:20:59 EventLog 6005 None The Event log service was started.
Information 07/04/2015 22:20:59 EventLog 6009 None Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free.
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: NETWORK SERVICE
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: NETWORK SERVICE
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: STE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0xe637"
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 07/04/2015 22:20:58 Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Desktop Window Manager Session Manager service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Diagnostic Service Host service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The User Profile Service service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Power service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The PnkBstrA service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Font Cache Service service entered the stopped state.
Information 07/04/2015 22:16:18 Microsoft-Windows-User Profiles Service 1532 None "The User Profile Service has stopped.
"
Information 07/04/2015 22:16:18 Microsoft-Windows-Security-Auditing 4616 Security State Change "The system time was changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process Information:
Process ID: 0x480
Name: C:\Windows\System32\svchost.exe
Previous Time: 2015-04-07T21:16:18.844340700Z
New Time: 2015-04-07T21:16:18.844000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Plug and Play service entered the stopped state.
Information 07/04/2015 22:16:18 Microsoft-Windows-UserPnp 20010 (7010) "One or more of the Plug and Play service's subsystems has changed state.
PlugPlay install subsystem enabled: 'false'
PlugPlay caching subsystem enabled: 'false'
"
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Human Interface Device Access service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Diagnostic System Host service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The DHCP Client service entered the stopped state.
Information 07/04/2015 22:16:18 Microsoft-Windows-Dhcp-Client 50037 Service State Event DHCPv4 client service is stopped. ShutDown Flag value is 1
Information 07/04/2015 22:16:18 Microsoft-Windows-DHCPv6-Client 51047 Service State Event DHCPv6 client service is stopped. ShutDown Flag value is 1
Information 07/04/2015 22:16:18 Microsoft-Windows-Eventlog 1100 Service shutdown The event logging service has shut down.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Microsoft Office ClickToRun Service service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Bonjour Service service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The AMD External Events Utility service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Installer service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X64 service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The AMD FUEL Service service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Group Policy Client service entered the stopped state.
Information 07/04/2015 22:16:18 Service Control Manager 7036 None The Windows Update service entered the stopped state.
Information 07/04/2015 22:16:18 EventLog 6006 None The Event log service was stopped.
Information 07/04/2015 22:16:18 Microsoft-Windows-WindowsUpdateClient 27 Windows Update Agent Automatic Updates is now paused.
Information 07/04/2015 22:16:18 Microsoft-Windows-Winlogon 7002 (1102) User Logoff Notification for Customer Experience Improvement Program
Information 07/04/2015 22:16:18 Bonjour Service 100 None Service stopped (0)
Warning 07/04/2015 22:16:18 Microsoft-Windows-User Profiles Service 1530 None "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3108607207-2367612179-3282689221-1000:
Process 4716 (\Device\HarddiskVolume4\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3108607207-2367612179-3282689221-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
"
Information 07/04/2015 22:16:18 USER32 1074 None "The process C:\Windows\system32\winlogon.exe (STE-PC) has initiated the restart of computer STE-PC on behalf of user Ste-PC\Ste for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: restart
Comment: "
Information 07/04/2015 22:16:18 Microsoft-Windows-Winlogon 6000 None The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Information 07/04/2015 22:16:17 Microsoft-Windows-Security-Auditing 4647 Logoff "User initiated logoff:
Subject:
Security ID: Ste-PC\Ste
Account Name: Ste
Account Domain: Ste-PC
Logon ID: 0x36195
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
Information 07/04/2015 22:16:17 Desktop Window Manager 9009 None The Desktop Window Manager has exited with code (0x40010004)
Information 07/04/2015 22:16:11 USER32 1074 None "The process Explorer.EXE has initiated the restart of computer STE-PC on behalf of user Ste-PC\Ste for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: restart
Comment: "
