What can the Windows log event ID 4624 be used for?

Introduction. Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.

Table of Contents

What is the event ID 4660?

Event ID 4660 is logged when an object is deleted. The audit policy of the object must have auditing enabled for deletions by that particular user or group. Event 4660 can be correlated to event 4656 as they share the same handle ID. The deletion of an object triggers both this event, as well as event 4663.

Where can you find the events that are related to security such as logon log off and accessing resources?

When you access a Windows server on the network, the relevant Logon/Logoff events appear in the server’s Security log. So, although account logon events that are associated with domain accounts are centralized on DCs, Logon/Logoff events are found on every system in the domain.

What Eventcode 4627?

Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to. If all the security information cannot be fit into a single security audit event, multiple events are generated.

How do I see who is logged into my Windows 2008 server?

Step 1- Open the Command Line Interface by running “cmd” in the run dialog box (Win + R). Step 2- Type query user and press Enter. It will list all users that are currently logged on your computer.

How do you check who deleted files in Windows Server 2008?

Reviewing events

Open the Event Viewer and search the security log for event ID 4656 with a task category of “File System” or “Removable Storage” and the string “Accesses: DELETE”.
Review the report. The “Subject: Security ID” field will show who deleted each file.

How do I know if file audit is enabled?

Enable object auditing in Windows:

Navigate to Administrative Tools > Local Security Policy.
In the left pane, expand Local Policies, and then click Audit Policy.
Select Audit object access in the right pane, and then click Action > Properties.
Select Success and Failure.
Click OK.

What service is Advapi?

The logon process is marked as “advapi”, which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.

How do I find the IP address of an Event Viewer?

Event Viewer: Open the Computer Management Console. Scroll down to locate the login event. Under the “General” tab for that event, it should now show the Source Network Address, which would be the IP of the client connecting to your server.

How can I see Windows Logon events?

To view the events, open Event Viewer and navigate to Windows Logs > Security. Here you’ll find details of all events that you’ve enabled auditing for. You can define the size of the security log here, as well as choose to overwrite older events so that recent events are recorded when the log is full.