Looking at the image closely, it appears that at least one of those audit entries were logging "an attempt to query the existence of a blank password for an account." Whenever somebody logs on (or UAC-elevates, if I remember correctly), one or more of these events are logged as the system checks to see if people have blank passwords; it wouldn't make much sense for the logon UI to prompt for a password if the user didn't have one.
These aren't a problem unless you have an insane amount of logons (or, perhaps, automated Run As invocations) happening all the time. But, since you asked how to get rid of them, here we go:
The Local Security Policy UI lies to you about certain audited activities. (There are actually several activities involved in each of those categories; it generalizes.) To see exactly what is audited, run auditpol /get /category:*
at an administrative command prompt. To fully disable auditing, run auditpol /clear
, then reboot.
You can back up and restore the audit policy (if you think somebody legitimately and purposefully set up a custom policy) using the /backup
and /restore
switches on auditpol
, both of which require a /file:"\path\to\file"
argument immediately following.
Read more about auditing at TechNet.
As you stated, the DC does not capture logins on a remote computer with cached credentials, as the computer may not always be physically connected to the domain. Instead, you'll have to check his computer directly while his computer is online.
You can use the Event Viewer or the wevtutil command at a command
prompt to manage event logs on a remote computer.
- Start Event Viewer.
- Click the root node, for example Event Viewer (Local), in the console tree.
- On the Action menu, click Connect to Another Computer
- In the Another computer box, type the name or IP address of the remote computer.
- (Optional) Select Connect as another user, click Set User, enter the User name and Password, and then click OK
- Click OK
Source: Work with Event Logs on a Remote Computer - Microsoft TechNet
Search for Event 4648 - A logon was attempted using explicit credentials on his computer.
As the description says, it is only when a logon uses explicit credentials. This event is generated on logging in or unlocking even with saved credentials (ie: Remote Desktop).
Note: As with any event, you can do additional filtering to remove any automatically generated events (less common with 4648 and username). The GUI (on the Filter tab) provides filtering on some fields. Using the XML tab, you can filter on any field within the event.
Best Answer
To enable the audit of logon events :
gpedit.msc
)After these steps, Windows will track login attempts, both successful or failed.
To check who logged into your computer, in the Event Viewer, section Windows Logs > Security, find all occurrences of event ID
4624
.For more information with screenshots see the article
How to Check Computer Login History on Windows 10/11?