{"id":52,"date":"2016-02-10T19:53:39","date_gmt":"2016-02-10T19:53:39","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=52"},"modified":"2016-03-20T19:08:32","modified_gmt":"2016-03-20T19:08:32","slug":"logon-type-what-does-it-mean","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/logon-type-what-does-it-mean\/","title":{"rendered":"Logon type – what does it mean?"},"content":{"rendered":"

In my previous post<\/a>, I explained how to display logon type for logon events in Security log and described meaning of some values. Here I will give you more information about logon types.<\/p>\n

The descriptions of some events (4624, 4625) in Security log commonly contain some information about\u00a0“logon type”, but it is too brief:<\/p>\n

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).<\/p><\/blockquote>\n

Microsoft provides more detailed description of logon types at\u00a0https:\/\/technet.microsoft.com\/en-us\/library\/cc787567(v=ws.10).aspx<\/a>\u00a0(Audit Logon Events).
\nThis topic at the Microsoft site is about logon events auditing for pre-Vista\u00a0operating systems, but it looks like Logon Type constants are valid for all Windows operating systems.<\/p>\n

Therefore, I\u00a0will\u00a0copy\u00a0Microsoft descriptions here and add\u00a0my own comments.<\/p>\n

Logon Type 2:\u00a0Interactive.\u00a0A user logged on to this computer.<\/strong><\/p>\n

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows\u00a0logon prompt. Events with\u00a0logon type = 2 occur when a user logs on with a local or a\u00a0domain account. However,\u00a0if a user logs on with a domain account, this logon type will appear only when a\u00a0user really authenticated in the domain (by a domain controller). In case if the DC not available, but the user provided valid domain credentials cached in the local PC, Windows will log an event with logon type = 11.<\/p>\n

Logon type 3: \u00a0Network. \u00a0A user or computer logged on to this computer from the network.<\/strong><\/p>\n

The description of this logon type\u00a0clearly states that the\u00a0event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.). As we learned in the previous post, the connection with logon type = 3 could be established even from a local computer.<\/p>\n

Logon type 4: Batch. \u00a0Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.<\/strong><\/p>\n

This event type appears when a scheduled task is about to be started. E.g. if you use Windows Task Scheduler and it’s time to start a task,\u00a0Windows may create\u00a0a new logon session to execute this task and register logon events (4648, 4624\/4625). If a task is scheduled to run\u00a0only when a “designated” user is logged on, a new logon session won’t be opened and logon events won’t be logged.<\/p>\n

Logon type 5: Service. \u00a0A service was started by the Service Control Manager.<\/strong><\/p>\n

When Windows starts a service which is configured to log on as a user, Windows will create a new logon session for this service. This happens only if the service uses\u00a0a “common”\u00a0user account. If it uses special accounts, e.g. “Local System”, “NT AUTHORITY\\LocalService” or “NT AUTHORITY\\NetworkService”, Windows won’t create new logon sessions. The opened logon session will be closed when the service stops and a logoff event (4634) will be registered.
\nNote that event description doesn’t contain any information about the\u00a0service name, process information lists only name of the service control manager (services.exe). \u00a0When Audit Failure logon event (4625) is registered with logon type = 5, this commonly means that the “designated” user has changed password, and you should\u00a0update service logon details.<\/p>\n

Logon type 7: \u00a0Unlock. This workstation was unlocked.<\/strong><\/p>\n

An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Note that when a user unlocks computer, Windows creates a new logon\u00a0session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). When you are switching\u00a0between logged on user accounts with\u00a0Fast User Switching feature, you may think that such switching generates event 4624 with logon type = 7 because it looks like you lock and unlock workstation. However Windows generates events 4624 with logon type = 2 (interactive).\u00a0When Audit Failure logon event (4625) is registered with logon type = 7, this commonly means that either you made a typo when entering the password, or someone is trying to break into\u00a0the computer.<\/p>\n

Logon type 8: \u00a0NetworkCleartext. A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).<\/strong><\/p>\n

I believe that you should never see logon events with logon type = 8. This event is generated when a password comes from the net as a clear text. Such events may occur when a user logs on IIS (Internet Information Services) with basic access authentication method.\u00a0Transferring passwords in plaintext format is dangerous because the passwords\u00a0could be sniffed and revealed. So if basic authentication is the only option for you, you should protect\u00a0your network connection (using encryption protocols like\u00a0SSL\/TLS, creating virtual private network etc.).<\/p>\n

Logon type 9: \u00a0NewCredentials. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.<\/strong><\/p>\n

This event occurs when using RunAs command with \/netonly option. Let’s say you need to run a program, but grant it extra permissions for network computers. E.g. you may want to run Event Log Explorer and give it additional permissions for a specific computer or a domain \u00a0(this may be helpful e.g. if you want to use a specific computer as a description server in Event Log Explorer, but your current permissions is not enough to access admin resources from this server).\u00a0In this case you can run Event Log Explorer normally (using your current credentials), but specify special credentials for network connections. Let’s say your computer name is “WORK” and the description server name is “SERVER”. On WORK computer you type:<\/p>\n

runas.exe \/netonly \/user:server\\Administrator\u00a0“c:\\program files\\event log explorer\\elex.exe”<\/p><\/blockquote>\n

and provide administrator’s password when prompted.<\/p>\n

This will run Event Log Explorer even if you provided a wrong password. This happens because it uses a cloned current credentials to run the program (a new logon session will be opened). And logon event 4624 will be logged with logon\u00a0type = 9 (logoff event will be logged when you quit the application). But what about SERVER? The server will register 4624 or 4625 events in Security log with logon type = 3 but only when the application from WORK computer will try to access a shared resource on the server, e.g. Event Log Explorer will try to open resource file with event descriptions.<\/p>\n

Logon type 10: RemoteInteractive. A user logged on to this computer remotely using Terminal Services or Remote Desktop.<\/strong><\/p>\n

This logon type is similar to 2 (Interactive) but a user connects the computer from a remote machine via RDP (using Remote Desktop, Terminal Services or Remote Assistance).<\/p>\n

Logon type 11: \u00a0CachedInteractive. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.<\/strong><\/p>\n

When users logon a domain, Windows caches users’ credentials\u00a0locally so that they can log on later even if a logon server (domain controller) is unavailable. By default Windows caches 10 or 25 last logon credentials (it depends on the operating system and can be increased up to 50). When a user attempts to logon with domain account\u00a0while DC is not available, Windows checks the user’s credentials\u00a0with these stored hashes and logs security events 4624 or 4625 with logon type = 11.<\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"

In my previous post, I explained how to display logon type for logon events in Security log and described meaning of some values. Here I will give you more information about logon types. The descriptions of some events (4624, 4625) in Security log commonly contain some information about\u00a0“logon type”, but it is too brief: The logon type field indicates the kind of logon that occurred.\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":59,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[42,2],"tags":[28,51,21,49,29,23,16,4,17,18],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/52"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=52"}],"version-history":[{"count":1,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":98,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/52\/revisions\/98"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/59"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}