How to tell which service or task caused a certain 4624 logon event?
The first event is documented by Microsoft in the article 4624(S): An account was successfully logged on.
The Logon Type is 5, which means
"A service was started by the Service Control Manager".
As recorded, the event was generated by C:\Windows\System32\services.exe which
is the Services Control Manager, that is responsible for running, ending,
and interacting with system services.
The subject system service is started with the SYSTEM account, which gives it basically unlimited powers, which causes the issuing of 4672(S): Special privileges assigned to new logon.
The logon process is marked as "advapi", which means that the logon was a
Web-based logon through the IIS web server and the advapi process.
If you are not hosting IIS websites, this might mean that the computer is infected. See in this case How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC. I counsel to at least do a deep scan using Malwarebytes.
If you do host IIS websites, you will need to find why some module is "impersonating", that means taking on the persona and permissions, of the SYSTEM account. This is highly suspicious and negates the isolation rules of websites from the host.
Qin Heyang
Updated on September 18, 2022Comments
-
Qin Heyang over 1 year
I found a series of Windows logon events 4624 like this:
An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: mycomputername$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3cc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0Each of them is followed by another 4672 event
Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilegeFrom the looks of this, it seems that certain service or scheduled task is causing these logons. I tried to look into
Windows Logs\ApplicationandWindows Logs\Systembut found no event that happened at the same time of these logons. I am confused as to how to locate the service or task that is causing these logons. Any suggestions or hints are welcome. Thanks in advance! -
duct_tape_coder about 2 yearsI think it my case it ended up being SSRS which doesn't directly use IIS but has similar OS/http.sys ties.
