Win 10 VM tons of Logon and Logoff events (4624 & 4634)

Noah0302 · October 12, 2022

Hi guys,

I have a quick qestion weather it is normal that my Win 10 VM hat so many Logon and Logoff events.

There are over 3000 in just under a week, that seems a bit much to me

Those 3 being the main ones:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4634</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12545</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2022-10-12T01:25:03.0142588Z" />
  <EventRecordID>1062516</EventRecordID>
  <Correlation />
  <Execution ProcessID="740" ThreadID="4800" />
  <Channel>Security</Channel>
  <Computer>Win10-PVE</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="TargetUserSid">S-1-5-90-0-2</Data>
  <Data Name="TargetUserName">DWM-2</Data>
  <Data Name="TargetDomainName">Window Manager</Data>
  <Data Name="TargetLogonId">0xaa91f</Data>
  <Data Name="LogonType">2</Data>
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4624</EventID>
  <Version>2</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2022-10-12T01:25:36.0144751Z" />
  <EventRecordID>1062910</EventRecordID>
  <Correlation ActivityID="{853ca98e-ddd9-0001-0faa-3c85d9ddd801}" />
  <Execution ProcessID="732" ThreadID="828" />
  <Channel>Security</Channel>
  <Computer>Win10-PVE</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectUserName">WIN10-PVE$</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
  <Data Name="TargetUserSid">S-1-5-96-0-1</Data>
  <Data Name="TargetUserName">UMFD-1</Data>
  <Data Name="TargetDomainName">Font Driver Host</Data>
  <Data Name="TargetLogonId">0x879b</Data>
  <Data Name="LogonType">2</Data>
  <Data Name="LogonProcessName">Advapi</Data>
  <Data Name="AuthenticationPackageName">Negotiate</Data>
  <Data Name="WorkstationName">-</Data>
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x2a8</Data>
  <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
  <Data Name="IpAddress">-</Data>
  <Data Name="IpPort">-</Data>
  <Data Name="ImpersonationLevel">%%1833</Data>
  <Data Name="RestrictedAdminMode">-</Data>
  <Data Name="TargetOutboundUserName">-</Data>
  <Data Name="TargetOutboundDomainName">-</Data>
  <Data Name="VirtualAccount">%%1842</Data>
  <Data Name="TargetLinkedLogonId">0x0</Data>
  <Data Name="ElevatedToken">%%1843</Data>
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4624</EventID>
  <Version>2</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2022-10-12T01:25:36.0151918Z" />
  <EventRecordID>1062911</EventRecordID>
  <Correlation ActivityID="{853ca98e-ddd9-0001-0faa-3c85d9ddd801}" />
  <Execution ProcessID="732" ThreadID="784" />
  <Channel>Security</Channel>
  <Computer>Win10-PVE</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectUserName">WIN10-PVE$</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
  <Data Name="TargetUserSid">S-1-5-18</Data>
  <Data Name="TargetUserName">SYSTEM</Data>
  <Data Name="TargetDomainName">NT-AUTORITÄT</Data>
  <Data Name="TargetLogonId">0x3e7</Data>
  <Data Name="LogonType">5</Data>
  <Data Name="LogonProcessName">Advapi</Data>
  <Data Name="AuthenticationPackageName">Negotiate</Data>
  <Data Name="WorkstationName">-</Data>
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x2d4</Data>
  <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
  <Data Name="IpAddress">-</Data>
  <Data Name="IpPort">-</Data>
  <Data Name="ImpersonationLevel">%%1833</Data>
  <Data Name="RestrictedAdminMode">-</Data>
  <Data Name="TargetOutboundUserName">-</Data>
  <Data Name="TargetOutboundDomainName">-</Data>
  <Data Name="VirtualAccount">%%1843</Data>
  <Data Name="TargetLinkedLogonId">0x0</Data>
  <Data Name="ElevatedToken">%%1842</Data>
  </EventData>
  </Event>

Thanks in advance!

Jarsky · October 12, 2022

It's quite normal, especially if you have any tasks etc...running as those accounts. I see 2 of those accounts are interactive logons, one of which is the system (I assume that Windows Font Driver is some sort of standard windows task that runs per user) while the last is a service. If that service is frequenty triggered (stop/start) then that could be whats causing a lot of those entries.

Noah0302 · October 13, 2022

11 hours ago, Jarsky said:

It's quite normal, especially if you have any tasks etc...running as those accounts. I see 2 of those accounts are interactive logons, one of which is the system (I assume that Windows Font Driver is some sort of standard windows task that runs per user) while the last is a service. If that service is frequenty triggered (stop/start) then that could be whats causing a lot of those entries.

Thank you, I was getting a bit paranoid that someone has access to my VPN and VM.