⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 7001 - Winlogon

Winlogon - 7001


Information

Description »
User Logon Notification for Customer Experience Improvement Program
Data formatted as » EventData
TSId 6 
  UserSid S-1-5-21-261599921-3503996442-3549998870-14827 

This event is logged when a user logs on to a Win2008 computer, if the "Customer Experience Improvement Program" (CEIP) is enabled.

Although the user field is set to SYSTEM, you can tell which user was logging on by looking at the Event Data. It contains the SID of the user. To resolve the SID to a username, you can use a tool like sid2name, or you can just look in the registry at HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, where you will find some subkeys. Hopefully, one will be named the same as the SID you are interested in, and you can look at the ProfileImagePath value to determine the user.