Ask a new question

NT AUTHORITY *hackr* Logon ID 0x3e7 / 0x3e5

this is all over my event logs. 200,000 New security events. impersonates a system function to get my logon info, then logs on as me, but still with the logon ID 0x3e7. then I get all kinds of special privileges like write privileges to my antivirus executables and shields, loads authentication package to authenticate logon attempts, notification package to be notified of any account or password changes,    sends and receives many packages. causes Windows to install system update s. 

McAfee, Norton, Kaspersky, sophos, vipre won't identify any problem. 

how do i kill it?

Answer
Answer

You are looking at log entries of the LocalSystem Account, which is designed to do exactly the types of things you are indicating.  This is completely normal and only sounds suspicious due to the various special abilities it must have to impersonate a user, since that's how it gains the privileges necessary to perform certain update or other system tasks.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

These are being logged because the Audit Sensitive Privilege Use security policy is enabled.

https://technet.microsoft.com/en-us/library/dd772724(v=ws.10).aspx

My recommendation is to stay out of the event viewer unless you wish to spend hundreds of hours researching these entries on the Microsoft websites, since many of them sound strange and most are normal and in truth have little meaning in day-to-day use.

Note that I'm not stating you can't spend time doing this, only that for most it is an utter waste of time, since it provides no real value in improving your daily use of your PC.

Rob

49 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated March 7, 2025 Views 59,024 Applies to: