133 Logon Events (ID 4624) in 1 hour - should I be worried?

Hello @tsomek,
Welcome to TenForums.

You might find having the Message data shown helpful. Copy & Paste the following ALL at once into a CMD Prompt and press Enter.

Code:

@echo off

PowerShell ^
     $ErrorActionPreference='SilentlyContinue'; ^
     $Tot=((Get-WinEvent -FilterHashtable @{LogName='Security'; Id='4624'}) ^| Measure-Object).Count; ^
     $List=(Get-WinEvent -FilterHashtable @{LogName='Security'; Id='4624'}  ^| Sort-Object -Property ProviderName, TimeCreated -Descending ^| Format-Table -AutoSize ^
     @{L='Provider Name'     ;E={;if([string]::IsNullOrWhiteSpace($_.ProviderName))     {'-'} else {$_.ProviderName}}}, ^
     @{L='Time Created'      ;E={;if([string]::IsNullOrWhiteSpace($_.TimeCreated))      {'-'} else {$_.TimeCreated}}}, ^
     @{L='Log Name'          ;E={;if([string]::IsNullOrWhiteSpace($_.LogName))          {'-'} else {$_.LogName}}}, ^
     @{L='ID'                ;E={;if([string]::IsNullOrWhiteSpace($_.Id))               {'-'} else {$_.Id}};A='Left'}, ^
     @{L='Process ID'        ;E={;if([string]::IsNullOrWhiteSpace($_.ProcessId))        {'-'} else {$_.ProcessId}}}, ^
     @{L='Record ID'         ;E={;if([string]::IsNullOrWhiteSpace($_.RecordID))         {'-'} else {$_.RecordID}}}, ^
     @{L='Level Display Name';E={;if([string]::IsNullOrWhiteSpace($_.LevelDisplayName)) {'-'} else {$_.LevelDisplayName}}}, ^
     @{L='Message'           ;E={;if([string]::IsNullOrWhiteSpace($_.Message))          {'-'} else {$_.Message.Split('.')[0] + '.'}}} ^| ^
Out-String -Width 1000).Trim("""`r`n"""); ^
     if ($List.Length) {Write-Host """`n `n--- Logon Events [Successful] - [$Tot] - Sorted by [ProviderName, TimeCreated -Descending] ---`n`n `n`n$List"""} else ^
                       {Write-Host """`n `n--- NO Logon Events [Successful] Available ---"""; exit 1} >> %Temp%\A.txt
     for /f "delims=" %i in (%Temp%\A.txt) do echo. %i
     del %Temp%\A.txt & echo.

echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit

If you want the Logon Events [Failed], let me know and I can post the code for you..

I hope this helps.

EventID 4624 shows so many spurious entries because it includes System 'logins'. Windows manages many processes by treating the System as if it were a user.

Perhaps the Event viewer, Custom view definition I posted in another thread will help you see only real logins.


All the best,
Denis

Thanks for the rep.

Event viewer can be a real pig.

You might find this useful in the future [it is not related to your current issue]:
Make customisable Event viewer, Custom view, Administrative Events [post #4] in Windows 10 and 11 - TenForums
I make use of this to run Event viewer twice with the windows arranged side by side. I have the above view in one window and can use the other window to drill down into items of interest that it identifies.


All the best,
Denis

tsomek said:

Hi thanks for the help, I've done that and get a more detailed output, but from what I can tell I still get the same overwhelming amount of entries..

I've had only 16 entries today.

You can reduce it to only EventIDs 5 & 4647 if you want to trim it even more. [i.e. remove EventIDs 1,3,4,67]
I just keep the others so they are in view if I need to start investigating any problems.
Here is that reduced Custom view definition to save you a couple of seconds editing the old one:-
User log on-off - reduced.zip



All the best,
Denis

tsomek said:

is there really no way of getting JUST the real life logins?

That's all I get in that reduced Custom view.
1 entry at each real user logoff
2 entries at each real user logon [and I could not reduce that because they are both EventID 5]

The non-reduced Custom view definition listed
3 entries at each real user logoff
5 entries at each real user logon

What are the other things you are seeing then?

Denis

Great.

All the best,
Denis

---

And welcome to TenForums.

It's really worth making time to browse through the Tutorial index - there's a shortcut to it at the top of every page.

- At the foot of the Tutorial index is a shortcut to download it as a spreadsheet.
- I download a new copy each month.
- By downloading it as a spreadsheet I can benefit from Excel's excellent filtering capabilities when I search for topics of interest.

- Tutorials are also listed by category at Tutorials - there's also a shortcut to that at the top of every page.
- Both tutorial lists are searchable.
- You can also search for TenForumsTutorials in many general search engines, such as Google, by adding site:tenforums.com/tutorials after your search term. For example,
taskbar toolbars site:tenforums.com/tutorials

You can search TenForums using the search box in the top-right corner of all TenForums webpages or using Advanced Search - TenForums
- You can also search TenForums threads in many general search engines, such as Google, by adding site:tenforums.com after your search term. For example,
Search for drivers by HardwareID site:tenforums.com
- [This is what the search box in the top-right corner of TenForums webpages does automatically]