Logon,logoff,locking in the event log
Purpose
To record my notes on logging events related to logon, logoff, and locking of Windows systems on a domain.
Notes
EventIDs
- 4624 : All logon types
- 4634 : An account was logged off.[1]
- 4800 : The workstation was locked.[2]
- 4801 : Workstation was unlocked
- 4802 : Screen saver was invoked
- 4803 : Screen saver was dismissed
Event Types
- 2 : Interactive - A user logged on to this computer.
- 3 : Network - A user or computer logged on to this computer from the network.
- 4 : Batch - Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
- 5 : Service - A service was started by the Service Control Manager.
- 7 : Unlock - This workstation was unlocked.
- 8 : NetworkCleartext - A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form.
- 9 : NewCredentials - A caller cloned its current token and specified new credentials for outbound connections.
- 10 : RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
- 11 : CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer.
Replacement Strings
4624
- Subject
- 1 = Account name
- 2 = Account Domain
- 3 = Logon ID
- New Logon
- 4 = Security ID
- 5 = Account Name
- 6 = Account Domain
- 7 = Logon ID
- 12 = Logon GUID
- Logon Type
- 8 = Logon Type
- Detailed Authentication Information
- 9 = Logon Process
- 10 = Authentication Package
- Network Information
- 11 = Workstation Name
- 14 = Key Length
- 18 = Source Network Address
- 19 = Source Port
- Process Information
- 16 = Process ID
- 17 = Process Name
