Event Log Managment

Logs .. Logs and More Logs

Windows Logon Types

I have received several requests asking what the different Logon Types are for the different Windows Login/Account Login (528,538,540,672,4624,4634,4768) Events.  These can be found all over the place on Microsoft’s website and others but instead of putting the links I thought I would just put the chart here. 


Logon Type Logon Title Description
2 Interactive A user logged on to this computer
3 Network A user or computer logged on to this computer from the network
4 Batch Used by batch processes that may be executing on behalf of a user without their direct intervention
5 Service Service started
7 Unlock This workstation was unlocked
8 NetworkClearText A user logged on to this computer from the network using credentials using clear text.  Could indicate a logon to IIS with basic authentication.
9 NewCredentials New Credentials
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer.  The domain controller was not contacted to verify the credentials.



June 6, 2008 - Posted by | Audting, Event Log |


  1. Great site, I will be back. Well done

    Comment by Power Home Solar Review | January 27, 2010 | Reply

  2. Hi Isaac, my requirement is a bit different. I am looking at RDC initiated from my PC/Laptop (from where I login to me server). I want to clear all the IP details once I disconnect/logoff from RDC session. I have a batch file which does that but it needs to be run manually. Is there any way we can create a task schedule to run this bat file on disconnect/logoff from RDC session.

    Comment by Thomas Lee | October 14, 2013 | Reply

    • Thomas,

      I have a few questions for you. Are you running the batch file on the server or your laptop? Also what OS are you running the script on, XP, W2k3, W2k8, etc.? What audit settings do you have turned on on the system where you run the script?

      The short answer is yes, how you would go about it depends on your answers to my above questions.

      Comment by Isaac Thompson | October 14, 2013 | Reply

      • I run the batch file on my Laptop. Its on Windows 7. The batch file simple clears the *.rdp and the registry entries that contains my Server IP. The idea is no remove any trace of my even using RDC.

        I do no audit settings.

        Comment by Thomas Lee | October 15, 2013

  3. There is a feature that Microsoft introduced with Vista called Event Triggers, so if you had auditing turned on then you could have your script executed automatically.

    Comment by ithompson | October 15, 2013 | Reply

    • I am afraid mate, I have little knowledge how to get this done. All my knowledge is obtained by searching relevant codes on site as yours. Can you guide me thru how to actually get it done.

      Thanks in advance for your time and effort.

      Comment by Thomas Lee | October 15, 2013 | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: