Windows Logon Types

I have received several requests asking what the different Logon Types are for the different Windows Login/Account Login (528,538,540,672,4624,4634,4768) Events. These can be found all over the place on Microsoft’s website and others but instead of putting the links I thought I would just put the chart here.

Logon Type	Logon Title	Description
2	Interactive	A user logged on to this computer
3	Network	A user or computer logged on to this computer from the network
4	Batch	Used by batch processes that may be executing on behalf of a user without their direct intervention
5	Service	Service started
7	Unlock	This workstation was unlocked
8	NetworkClearText	A user logged on to this computer from the network using credentials using clear text. Could indicate a logon to IIS with basic authentication.
9	NewCredentials	New Credentials
10	RemoteInteractive	A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11	CachedInteractive	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

June 6, 2008 - Posted by ithompson | Audting, Event Log | Windows Logon Types; Logon Types

1 Comment »

Great site, I will be back. Well done

Comment by Power Home Solar Review | January 27, 2010 | Reply

About

My name is Isaac Thompson. I have worked in the IT field since the early 90′s, with over 11 years as a System Admin and then some in Management. Since 2004 I have been working with log and event management, helping other Admins figure out exactly what all these logs mean. From 2004 to Jan of 2011 I worked for Prism Microsystems, working with EventTracker. After leaving Prism in Jan of 2011 I joined the team at LogRhythm. LogRhythm is doing things with log and event management that other vendors are struggling with (www.logrhythm.com). I have helped 100′s of people with their event logs and audit policies. If you have any questions please feel free to leave a comment.

**Feb 14, 2011; Do to some unforseen issues at Prism Microsystems I can no longer in good faith promote their product or services and I have removed all links to their website.

June 2008

S M T W T F S

« May Aug »

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30
Search for:
Blogroll
Twitter for Log Guru
- Violation Of Sensitive Data Storage Policy Led To Exposure Of Info On 3.3 mill Student Loan Recipients - DarkReading: http://bit.ly/bVjDPb 2 years ago
- Ex-TSA Employee Indicted for Tampering With Database of Terrorist Suspects - DarkReading: http://tinyurl.com/yjqf9jq via @addthis 2 years ago
- new webinar on 2/4/10: Insider Gone Bad - Tracking their steps & building your case with Logs - http://tinyurl.com/ye64a7s 2 years ago
- Tech Insight: Learn To Love Log Analysis - DarkReading: http://bit.ly/4IQ3En via @addthis 2 years ago
- assisting a customer track down an internal hacker. 2 years ago
- analyzing a companies Directory Service Audit levels 2 years ago
- presenting at a webinar on Oct 1 .. Topic Logins: http://bit.ly/2bGZux 2 years ago
- must have auto collection & notification of log data: Defense Worker Arrested Accessing Unauthorized Data http://bit.ly/ep94H via @addthis 2 years ago
- Dirty USB shuts down systems for days http://bit.ly/3cSroU 2 years ago
- at a customer site doing training 2 years ago

June 2008
S	M	T	W	T	F	S
« May		Aug »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Archives
- December 2011 (1)
- May 2011 (1)
- July 2010 (1)
- March 2010 (1)
- February 2010 (1)
- December 2009 (1)
- November 2009 (1)
- October 2009 (1)
- September 2009 (1)
- August 2009 (1)
- May 2009 (3)
- April 2009 (1)
Categories
RSS
Entries RSS
Comments RSS

Event Log Managment

Logs .. Logs and More Logs