Difference between revisions of "Logon,logoff,locking in the event log"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "==Purpose== To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain. ==Notes== *4624 : All logon types *4634 : An account was...") |
Michael.mast (talk | contribs) (→Notes) |
||
| Line 2: | Line 2: | ||
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain. | To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain. | ||
==Notes== | ==Notes== | ||
| + | ===EventIDs=== | ||
*4624 : All logon types | *4624 : All logon types | ||
*4634 : An account was logged off.<ref>https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4634</ref> | *4634 : An account was logged off.<ref>https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4634</ref> | ||
| Line 9: | Line 10: | ||
*4803 : Screen saver was dismissed | *4803 : Screen saver was dismissed | ||
<br> | <br> | ||
| + | ===Event Types=== | ||
| + | <ref>https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc787567(v=ws.10)</ref> | ||
| + | *2 : Interactive - A user logged on to this computer. | ||
| + | *3 : Network - A user or computer logged on to this computer from the network. | ||
| + | *4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | ||
| + | *5 : Service - A service was started by the Service Control Manager. | ||
| + | *7 : Unlock - This workstation was unlocked. | ||
| + | *8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. | ||
| + | *9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections. | ||
| + | *10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop. | ||
| + | *11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. | ||
<br> | <br> | ||
<br> | <br> | ||
<br> | <br> | ||
Revision as of 11:06, 6 February 2018
Contents
Purpose
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
Notes
EventIDs
- 4624 : All logon types
- 4634 : An account was logged off.[1]
- 4800 : The workstation was locked.[2]
- 4801 : Workstation was unlocked
- 4802 : Screen saver was invoked
- 4803 : Screen saver was dismissed
Event Types
- 2 : Interactive - A user logged on to this computer.
- 3 : Network - A user or computer logged on to this computer from the network.
- 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
- 5 : Service - A service was started by the Service Control Manager.
- 7 : Unlock - This workstation was unlocked.
- 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
- 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
- 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
- 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
