Strange User ID in security logs

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Event log shows user as:
user: S-1-5-21-1757981266-1383384898-854245398-1032 with event code of 551,
538 and 527 depending on which phase of logon or logoff user is in. In user
name below I have deleted actual users name, however log shows who the user
is. Why the strange alpha/numeric username? Has my system been hacked?

Ther is no such user

User Name: xxxxxxxx
Domain: SYSTEM3
Logon ID: (0x0,0x95dac)
 
check the following key to see whom the user correlates to.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

Most of the time you will see it refers to the System or Network or other
Built in user like guest. If the guest accout is active, you may have been
hacked. Check and see what the -1032 SID relates to.
 
Back
Top