Sunday, April 24, 2011

Event ID 528 - Logon Process Advapi & Type 4

my event viewer shows a suspicious logon process Advapi with logon type 4 and event id 528 . searching in the computer I couldnot find advapi.exe file which is supposed to be a security risk virus. well I am little bit relaxed now, there is no virus in the system. later I found out there is advapi32.dll ,a google search told me that advapi32.dll is a part of an advanced API services library supporting numerous APIs including many security and registry calls.It is a non essential process however it should not be removed if not causing any problems. It is just a runtime library, The service logon calls are in Advapi.

now my turn is to check the logon type 4 which in turn is a batch process that doesn’t sound good .another search in the www gave me scheduled tasks uses this type. Here I got my answer I have a scheduled task running everyday at 6:00 AM. When checked for the event-id it is logged at the same time !.

