Windows 10 log on and log off event when I wasn't active?

Question

I'm seeing the following data for an event.

An account was logged off Security ID S-1-5-90-0-10
                           account name DWM-10 at 00:01:24 
                                        DWM-9  at  00:01:36
                           Security Id S-1-5-96-0-9            
                                       UMFD-9 at  00:01:36 logged off

Please explain what it means, especially when I did not log on?

Ramhound · Answer 1 · 2019-02-14T21:52:46.087

3

S-1-5-96-0-9

S-1-5-90-0-10

Both of these users are known system accounts. In this case, S-1-5, belongs to NT_AUTHORITY

A SID containing only the SECURITY_NT_AUTHORITY identifier authority.

Source: Well-Known SID Structures

Please explain what it means, especially when I did not log on?

Nothing unusual happened.

edited Feb 14 '19 at 21:52

answered Jan 26 '18 at 10:54

Ramhound

44,080

Harry Johnston · Answer 2 · 2019-02-15T22:36:54.440

2

Accounts beginning with S-1-5-90-0 (account names DWM-x) are generated on the fly by the Desktop Window Manager component for its system services.

Accounts beginning with S-1-5-96-0 (account names UMFD-x) are generated on the fly by the User Mode Driver Framework component for its system services.

(Ordinary user accounts begin with S-1-5-21.)

The behaviour you're observing is perfectly normal.

edited Feb 15 '19 at 22:36

answered Feb 14 '19 at 21:33

Harry Johnston

5,914
8
34
58

Windows 10 log on and log off event when I wasn't active?

2 Answers2