As mentioned above, I think this is to do with the type of account. When setting up an account on Windows 8, it allows you to create an account by supplying an email address such as a Windows Live/Hotmail email address. If a "Microsoft account" is used, then I think it is normal (expected) for the login count to not increment. If this is the case, you should see an email address in the SAM with the other account info, or at least this was the case with Windows 8.0.
i have found logon information "event id 4624" inside the security log. but in the same second a logoff is logged "event id 4634".
Does anyone has a white paper that could explain a bit more about the event logs.
Thanks
As mentioned above, I think this is to do with the type of account. When setting up an account on Windows 8, it allows you to create an account by supplying an email address such as a Windows Live/Hotmail email address. If a "Microsoft account" is used, then I think it is normal (expected) for the login count to not increment. If this is the case, you should see an email address in the SAM with the other account info, or at least this was the case with Windows 8.0.
Yeah exactly what it is, it's linked to a microsoft account, so that's why. Just wanted to know. Now to determine the last logon via event logs.
Hi,
I'm investigating a WIN 8.1 system.
In the SAM registry hive, i see two manually created user account.
Both have a login count of "0" and a last logon time of "Never".
How is this possible when i know that the computer has been used a lot?
Thanks
Well, there are a number of things at play here…
First, do you have any information to show that those two user accounts, specifically, had been used to log into the system?
Beyond the Windows Event Logs, do the accounts have profiles on the system (i.e., subfolders in the C\User folder)?
You can create local accounts on the system, but the profiles won't be created until the users actually log into the system. When I say "login", that is an event ID 4624 record, but it should be a type 2 or type 10 login…type 3 logins (access to network resources, like shares and printers) won't cause a profile to be created.
Second, from where within the file system did you retrieve the SAM? If the accounts were added to the system, the SAM file backed up, and THEN the users logged in, you won't see the updated information.
i have found logon information "event id 4624" inside the security log. but in the same second a logoff is logged "event id 4634".
Does anyone has a white paper that could explain a bit more about the event logs.
Thanks
There are a number of Event Log white papers available…some explain how to set them up, some explain how to analyze them when looking to detect or investigate an incident.
Is there a specific topic that you're interested in?