I'm running Windows 7, 64 bit, This is a standalone system; no wireless card, no home network, no file sharing. All Remote Desktop services have been disabled, and port 3389 is blocked at the firewall. This is why I was surprised to see the following in Event Viewer this morning: Terminal Services Local Session Manager"Admin" has no entries, but "Operational" has 593 entries; dating back 2 months to the first day that the system was installed/put into service. These are 'Information' entries, the user is the local system S-1-5-18, and the address is usually (but not always) 'LOCAL'. The Event IDs range from 21-25. Channel is Microsoft-Windows-Terminal Services-Local Session Manager/Operational. Is this simply a record of the times that administrator permission was granted for some purpose, or does it represent a series of malicious remote connections to my system by an unauthorized user? I have been unable to find the answer/specific information online or in my operating system manual. Thanks for any information you can provide.

Hi Tergiversada, This S-1-5-18 is a securit identifier, refer to this: http://support.microsoft.com/kb/243330 Quote: SID: S-1-5-18 Name: Local System Description: A service account that is used by the operating system. Don't worry about it. It's safe. Regards, Miya This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your reply. I read the above link, and noted that the user was the local system account. What concerned me was the 'Terminal Services' reference. Isn't that Remote Desktop? That's why I wrote this inquiry; I was afraid that somehow an unauthorized user had accessed the system account remotely. Please pardon my paranoia. I'm new to Windows 7, and just returning to Windows after using a Hackintosh!

Could you provide us the details of this event? Regards, MiyaThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Certainly. Thank you for your reply. These entries are found in Event Viewer (Local) /Applications and Services/Microsoft/Windows/Terminal Services-Local Session Manager. There are 4 subcategories: Admin (no events) Analytic (page 1-Disabled) Debug (Page 1-Disabled) and Operational (622 Events) These events began the day the system was put into service, 9/1/2011, and continue through yesterday, 11/2/2011. All of the entries are either Event ID 21 Session Logon Succeeded, Event 22 Shell Start Notification Received, 23 Session Logoff Succeeded, 24 Session has been disconnected, or 25 Session has been reconnected. For the last entry, here are the System Data: Under the Details tab, it says Provider Name: Microsoft Windows Terminal Services Local Session Manager. The GUID is 5D86912-022D-40AA-A3A8-4FA5515C76D7. The Event ID is 25. Version is 0. Level is 4. Task is 0. Opcode is 0. Keywords is 0x1000000000000000. The time created is in Greenwich Mean Time (not my time zone, but my CMOS is correct.) Event record ID is 622, same as the Event number. Correlation was left blank. Execution was also left blank. Process ID 668, Thread ID 2156. Channel is Microsoft Windows Terminal Services Local Session Manager-Operational. The Computer is my computer name. Under Security it says [User ID] S-1-5-18. Here are the User Data from the Details tab: Event XML was left blank. User is Computer name\User Name. Session ID is 1. Address is LOCAL. Here is more information from the General tab: The Level is Information, the User is System, and the Opcode is Info. Source Network Address is LOCAL. Task category is None. These events start the day that I had a new hard drive put in (under warranty) by an OEM systems engineer who came to my home office after I had had nothing but trouble with a new system the first two weeks. Windows was re-installed at this time. I wondered why the installation date for .NET Framework 4.0 Client Profile and .NET Framework 4.0 Extended showed as 2/10/2011 on the system (long before I owned the computer/long before Windows was installed) but so far have been unable to get a satisfactory answer from the OEM. I have continued to have issues on this system, which is why I am asking about the Terminal Services situation. The first Terminal Services session logons, shell start notifications, session logoffs, session disconnections, and reconnections all first appear in the Event Log using the System Administrator Account with the OEM's Service Tag as the Computer Name, on the 2/10/2011 date; then the 9/1/2011 date of Windows installation. I have also seen in the log files where ASP.NET was installed two days later; although I never did this, and have no reason for doing so. *********************************************************** I have also discovered two entries under Terminal Services Remote Connection Manager, dated two days after the system went into service. Under the General tab: "The Remote Connection Manager selected Kernel Mode RDP protocol stack." The Event ID is 1155. The User is Network Service. Level is Information. Opcode is Info. Here are the data under the Details tab: Provider: Microsoft Windows Terminal Services Remote Connection Manager. GUID is C76BAA63-AE81-421C-B425-340B4B24157F. The Event ID is 1155. Version is 0. Level is 4. Task 0. Opcode 0. Keywords 0x1000000000000000. User is system. Event Record ID is 1. Correlation is blank. Execution PID is 1140, Thread ID 4272. The Channel is Microsoft Windows Terminal Services Remote Connection Manager--Operational. Computer is the Computer Name. Security is [User ID S-1-5-20]. Event Data is blank. 3-1/2 hours later there is another entry, identical except for the PID, the thread ID, and the Event Record ID is 2 instead of 1. Everything else is the same. These are the only two entries for the Terminal Services Remote Connection Manager. I have looked at other logs to see if there were suspicious entries in any other logs at about this time. I found this in Event Viewer/Local/Windows Logs/Application, 6 seconds before the first Terminal Services Remote Connection Manager-Operational entry: Log Name: Application Source: Microsoft-Windows-User Profiles Service Date: 9/3/2011 5:04:47 AM Event ID: 1530 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: Elnesciopequeni Description: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 30 user registry handles leaked from \Registry\User\S-1-5-21-1648908695-1887525283-1310556058-1001: Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\My Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\My Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\CA Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\CA Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Disallowed Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Disallowed Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Root Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Root Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\trust Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\trust Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" /> <EventID>1530</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2011-09-03T10:04:47.486688700Z" /> <EventRecordID>2271</EventRecordID> <Correlation /> <Execution ProcessID="984" ThreadID="3092" /> <Channel>Application</Channel> <Computer>Elnesciopequeni</Computer> <Security UserID="S-1-5-18" /> </System> <EventData Name="EVENT_HIVE_LEAK"> <Data Name="Detail">30 user registry handles leaked from \Registry\User\S-1-5-21-1648908695-1887525283-1310556058-1001: Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001 Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\My Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\My Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\CA Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\CA Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Disallowed Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Disallowed Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Policies\Microsoft\SystemCertificates Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Root Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\Root Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 3520 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\trust Process 1824 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1648908695-1887525283-1310556058-1001\Software\Microsoft\SystemCertificates\trust </Data> </EventData> </Event> These and other concerns involving security certificates and Windows Update failures are the reasons why I have made this inquiry regarding Terminal Services. Thank you for your time in reading all of this information. If you require further details, please let me know.

I have found a similar unknown user with permissions for some files (i.e. jpeg files in My Documents): S-1-5-21-3855038073-2165487828-4200596032-1005 Are you sure this is not a security problem?