0

I'm investigating who was using one of our company computer's a certain time. While I was looking through the 4624 / 4634 events in the event log, I found that several times throughout the day there was a 4624 (logon) followed immediately by a 4634 (logoff). According to the event time, they happened at the exact same second. I also checked and both the logon and logoff have the same Logon ID.

The logon type for both is 7. As far as I understand, that means this person unlocked their computer and then immediately relocked it. Many times during the day.

What would cause these logs?

just.another.programmer
  • 409
  • 2
  • 6
  • 23
  • There are 1000 milliseconds in a second. The logging reports time in DD:MM:YY HH:MM:SS. Outlook has been known to interact with interactive logon and trigger events. – Colyn1337 Sep 17 '15 at 18:13
  • @Colyn1337 I know it could have been separated by milliseconds. I don't think it's reasonable that a *user* would have unlocked/relocked a computer only milliseconds apart. Also, Outlook is not installed on the problem computer. – just.another.programmer Sep 17 '15 at 18:32
  • There may be other programs trying with session lock/unlock (say something like TeamViewer?). Did you try looking for the processes run by the user? – Alex Mazzariol Sep 17 '15 at 18:41
  • @AlexMazzariol How do I find what processes were run? – just.another.programmer Sep 17 '15 at 18:43
  • Sorry for the misunderstanding; afaik, Windows does not keep track of programs run in the past. I meant, did you try looking at the running processes (e.g. with `tasklist`) to check if there was some remote-access tool running? They are likely to mess with session lock/unlock. – Alex Mazzariol Sep 17 '15 at 18:46
  • @AlexMazzariol There are no remote access programs on the computer. – just.another.programmer Sep 17 '15 at 18:50

0 Answers0