How to tell which service or task caused a certain 4624 logon event?

I found a series of Windows logon events 4624 like this:

An account was successfully logged on.
Subject: Security ID: SYSTEM Account Name: mycomputername$ Account Domain: WORKGROUP Logon ID: 0x3E7
Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes
Impersonation Level: Impersonation
New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information: Process ID: 0x3cc Process Name: C:\Windows\System32\services.exe
Network Information: Workstation Name: - Source Network Address: - Source Port: -
Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

Each of them is followed by another 4672 event

Special privileges assigned to new logon.
Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege

From the looks of this, it seems that certain service or scheduled task is causing these logons. I tried to look into Windows Logs\Application and Windows Logs\System but found no event that happened at the same time of these logons. I am confused as to how to locate the service or task that is causing these logons. Any suggestions or hints are welcome. Thanks in advance!

1 Answer

The first event is documented by Microsoft in the article4624(S): An account was successfully logged on.

The Logon Type is 5, which means "A service was started by the Service Control Manager". As recorded, the event was generated by C:\Windows\System32\services.exe which is the Services Control Manager, that is responsible for running, ending, and interacting with system services.

The subject system service is started with the SYSTEM account, which gives it basically unlimited powers, which causes the issuing of4672(S): Special privileges assigned to new logon.

The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process.

If you are not hosting IIS websites, this might mean that the computer is infected. See in this caseHow can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC. I counsel to at least do a deep scan using Malwarebytes.

If you do host IIS websites, you will need to find why some module is "impersonating", that means taking on the persona and permissions, of the SYSTEM account. This is highly suspicious and negates the isolation rules of websites from the host.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like