Difference between revisions of "Logon,logoff,locking in the event log"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (→Notes) |
Michael.mast (talk | contribs) (→Notes) |
||
| Line 21: | Line 21: | ||
*10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop. | *10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop. | ||
*11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. | *11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. | ||
| + | ===Replacement Strings=== | ||
| + | 4624 | ||
| + | *Subject | ||
| + | **1 = Account name | ||
| + | **2 = Account Domain | ||
| + | **3 = Logon ID | ||
| + | *New Logon | ||
| + | **4 = Security ID | ||
| + | **5 = Account Name | ||
| + | **6 = Account Domain | ||
| + | **7 = Logon ID | ||
| + | **12 = Logon GUID | ||
| + | *Logon Type | ||
| + | **8 = Logon Type | ||
| + | *Detailed Authentication Information | ||
| + | **9 = Logon Process | ||
| + | **10 = Authentication Package | ||
| + | *Network Information | ||
| + | **11 = Workstation Name | ||
| + | **14 = Key Length | ||
| + | **18 = Source Network Address | ||
| + | **19 = Source Port | ||
| + | *Process Information | ||
| + | **16 = Process ID | ||
| + | **17 = Process Name | ||
<br> | <br> | ||
<br> | <br> | ||
<br> | <br> | ||
Revision as of 12:35, 6 February 2018
Purpose
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
Notes
EventIDs
- 4624 : All logon types
- 4634 : An account was logged off.[1]
- 4800 : The workstation was locked.[2]
- 4801 : Workstation was unlocked
- 4802 : Screen saver was invoked
- 4803 : Screen saver was dismissed
Event Types
- 2 : Interactive - A user logged on to this computer.
- 3 : Network - A user or computer logged on to this computer from the network.
- 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
- 5 : Service - A service was started by the Service Control Manager.
- 7 : Unlock - This workstation was unlocked.
- 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
- 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
- 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
- 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
Replacement Strings
4624
- Subject
- 1 = Account name
- 2 = Account Domain
- 3 = Logon ID
- New Logon
- 4 = Security ID
- 5 = Account Name
- 6 = Account Domain
- 7 = Logon ID
- 12 = Logon GUID
- Logon Type
- 8 = Logon Type
- Detailed Authentication Information
- 9 = Logon Process
- 10 = Authentication Package
- Network Information
- 11 = Workstation Name
- 14 = Key Length
- 18 = Source Network Address
- 19 = Source Port
- Process Information
- 16 = Process ID
- 17 = Process Name
