Event Viewer/ Success Audit

[Jason]

Okay, last week sometime someone hacked into my PC and
dropped the DAMEWARE software. Well, I removed it and
enabled audit success and failure logins. Well I noticed
that around 2:am in the event viewer this morning there
are success audits, and the user is NT AUTHORITY\SYSTEM.
Does this mean anything? How can I find if that person is
still accessing my pc? This pc has Filemaker on it and it
host databases (via IP/web).

Thanks for any input.

Jay

 

[Jason Garms [MSFT]]

Hi Jay,

"NT AUTHORITY\SYSTEM" is a built-in account that the
system itself uses. You can't actually logon as this
account from the logon screen, or over the network. You
will regularly see this audit event if you have logon/off
auditing enabled.

best,
-jasong

 

[Jay]

-----Original Message-----
Hi Jay,

"NT AUTHORITY\SYSTEM" is a built-in account that the
system itself uses. You can't actually logon as this
account from the logon screen, or over the network. You
will regularly see this audit event if you have logon/off
auditing enabled.

best,
-jasong

Thanks, I was getting worried there for a moment.