Microsoft-Windows-Security-Auditing

Other System Events

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2

Microsoft-Windows-Security-Auditing

Logoff

An account was logged off.

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Microsoft-Windows-Security-Auditing

Logoff

User initiated logoff:

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

Microsoft-Windows-Security-Auditing

System Integrity

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm

Microsoft-Windows-Security-Auditing

Other Policy Change Events

One or more errors occured while processing security policy in the group policy objects.

Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy

Microsoft-Windows-Security-Auditing

MPSSVC Rule-Level Policy Change

Windows Firewall ignored a rule because its major version number is not recognized.

Profile: All

Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -

Microsoft-Windows-Security-Auditing

Logoff

An account was logged off.

Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Microsoft-Windows-Security-Auditing

File System

A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0

Microsoft-Windows-Security-Auditing

Other Logon/Logoff Events

A session was disconnected from a Window Station.

Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249

Session:
Session Name: RDP-Tcp#0

Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6

Microsoft-Windows-Security-Auditing

Process Termination

A process has exited.

Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051

Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0