Outlook 2016 Outlook randomly unhides from taskbar

[max221]

I'm running Outlook 2016 on Windows 10 Pro 1909.
I keep Outlook minimized to the taskbar, with the option "hide when minimized."
For the past couple of months, Outlook randomly maximizes (un-hides). It doesn't happen when it's checking for new email; I can't find any task, setting, or anything else that would trigger it. It's not a disaster, but quite irritating to have it launch while I'm in the middle of working on other things...
Any advice would be greatly appreciated--thanks!

 

[max221]

I've noticed that sometimes it maximizes from the taskbar when the desktop background changes. Aside from that, I still haven't found anything.

 

[Diane Poremsky]

I've been testing, watching for it to happen here, but so far, nothing. Another user had the same complaint. I'll ask if it happens when the bg changes.

ETA: I end up having outlook on screen maybe half the day, so its my habits that make it harder to repro.

 

[max221]

Thanks for taking a look at this. I changed the desktop background to change only once a day--sadly, the problem continued.

 

[Vincenzo]

Something to consider trying is to use the Event Viewer (Start button>type Event Viewer).

As soon as the program unhides, open the Event Viewer and look under Windows Logs (most likely in the subsection Application or System) for an event at the minute that it happened. It may give you a hint as to what is causing the issue.

 

[max221]

Something to consider trying is to use the Event Viewer (Start button>type Event Viewer).

As soon as the program unhides, open the Event Viewer and look under Windows Logs (most likely in the subsection Application or System) for an event at the minute that it happened. It may give you a hint as to what is causing the issue.

Looking at the event viewer was an excellent idea; thank you.

I manually changed the desktop background, outlook unhid, and I got the following two events in the Security Log:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-07-14T14:22:16.641104000Z" />
<EventRecordID>1316223</EventRecordID>
<Correlation ActivityID="{1d301a31-59e2-0000-bb1a-301de259d601}" />
<Execution ProcessID="900" ThreadID="2492" />
<Channel>Security</Channel>
<Computer>LAPTOP-8ON6QGN5</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">LAPTOP-8ON6QGN5$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x37c</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-07-14T14:22:16.641120500Z" />
<EventRecordID>1316224</EventRecordID>
<Correlation ActivityID="{1d301a31-59e2-0000-bb1a-301de259d601}" />
<Execution ProcessID="900" ThreadID="2492" />
<Channel>Security</Channel>
<Computer>LAPTOP-8ON6QGN5</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data>
</EventData>
</Event>

 

[Vincenzo]

I'm not seeing anything that I can make sense out of.
But you are showing the xml view in the Details tab. What does it say in the General tab?
also in the box at the top, what type of event is this? ie Information, Error, etc.

 

[Vincenzo]

Also, in the General tab, click on "Event Log Online Help" and see if you get lucky.

 

[max221]

Also, in the General tab, click on "Event Log Online Help" and see if you get lucky.

Sorry, I wasn't sure what to post.

A user's local group membership was enumerated.

Subject:
Security ID: SYSTEM
Account Name: LAPTOP-8ON6QGN5$
Account Domain: WORKGROUP
Logon ID: 0x3E7

User:
Security ID: LAPTOP-8ON6QGN5\
Account Name:
Account Domain: LAPTOP-8ON6QGN5

Process Information:
Process ID: 0x1a90
Process Name: C:\Windows\System32\svchost.exe

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/13/2020 7:10:17 PM
Event ID: 4798
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: LAPTOP-8ON6QGN5

 

[Vincenzo]

What does it say in these two places? see attached

 

[max221]

There's nothing under Application related by time signature. Here's what I get under Security which is related by time (there are several duplicates of these at each time).

Audit Success 7/17/2020 3:48:43 PM Microsoft Windows security auditing. Event 4672 Special Logon
Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege








Audit Success 7/17/2020 3:54:23PM Microsoft Windows security auditing. Event 4624 Logon

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: LAPTOP-8ON6QGN5$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x378
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.





Audit Success 7/17/2020 4:02:34PM Microsoft Windows security auditing. Event 5379 User Account Management

Credential Manager credentials were read.

Subject:
Security ID: LAPTOP-8ON6QGN5\XXXX
Account Name: XXXX
Account Domain: LAPTOP-8ON6QGN5
Logon ID: 0x8A1AA
Read Operation: Enumerate Credentials

This event occurs when a user performs a read operation on stored credentials in Credential Manager.

 

[Vincenzo]

I don't see anything in those events that gives me any clue.

I also tried to reproduce this by hiding Outlook when minimized, and setting the desktop background to change every minute, but it does not unhide on my computer.

 

[max221]

The problem continues... It also started on my work laptop last week. My home laptop is a Lenovo T570, work is a Lenovo L380. The work laptop has much less non-essential software, so I am truly puzzled--unless this is some peculiarity specific to Lenovos?