<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is when an [entity] is involved [Authentication] or [Impersonation] [event] on [Microsoft Windows] (either [Windows Client] or [Windows Server])This event is generated when a [{$pagename}] [session] is created. It is generated on the [Hostname] that was accessed.

The subject fields indicate the [Digital Identity] on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the [Windows Logon Type] that occurred. The most common types are 2 ([Interactive]) and 3 ([network|Network-Auth]).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.!! Fields for [{$pagename}]
[Event 4624] and [Event 4625] are the [Events] recorded as a [Windows Security Log Event] ([Microsoft Windows] [Logging]) for [{$pagename}] The fields below are within the [event]
The user who just logged on is identified by the Account Name and [Account Domain|AD DOMAIN].  You can determine whether the [Digital Identity] is local or domain by comparing the [Account Domain|AD DOMAIN] to the [computer name|Hostname].  If they match, the [Digital Identity] is a local [Digital Identity] on that system, otherwise a [AD DOMAIN] account.

* [Security Identifier] ([SID])
* Account Name (Type = [Unicode][String]): the name of the [Digital Identity] that __reported__ information about [Authentication].
* Account [AD DOMAIN] (Type = [Unicode][String]): [subject]’s domain or computer name. Formats vary, and include the following:
** [NetBIOS domain name] name example: CONTOSO
** [Lowercase] full [AD DOMAIN] name: contoso.local
** [UPPERCASE] full [AD DOMAIN] name: CONTOSO.LOCAL
** For some well-known [Security Principal Objects], such as LOCAL SERVICE or [Anonymous] [LOGON|Authentication], the value of this field is “NT AUTHORITY”.
** For local user accounts, this field will contain the name of the computer or device that this [Digital Identity] belongs to, for example: “Win81”.
* Logon ID (Type = HexInt64): [Hexadecimal] value that can help you correlate this [event] with recent events that might contain the same Logon ID, for [example], “4672(S): Special privileges assigned to new logon.”
* Logon Information [Version] 2 are described in [Windows Authentication Package]
* [Windows Logon Types] [Version] 0, 1, 2 (Type = UInt32): the [Windows Logon Type] which was performed. 
* Linked Logon ID [Version 2] (Type = HexInt64): A [Hexadecimal] value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “0x0”.
* Network Account Name (Version 2) (Type = Unicode][String]): [Username] that will be used for outbound (network) connections. Valid only for [NewCredentials] logon type.
** If not [NewCredentials] logon, then this will be a &quot;-&quot; string.
* Network Account Domain (Version 2) (Type = [Unicode][String]): [AD DOMAIN] for the [user] that will be used for outbound (network) connections. Valid only for [NewCredentials] logon type.
** If not NewCredentials logon, then this will be a &quot;-&quot; string.
* Logon [GUID] (Type = GUID): a [GUID] that can help you correlate this event with another [event] that can contain the same Logon [GUID], “4769(S, F): A [Kerberos] service ticket was requested event on a [Domain Controller].
* It also can be used for correlation between a [Event 4624] and several other events (on the same computer) that can contain the same Logon GUID, “4648(S): A logon was attempted using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.”
** This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.

* Restricted Admin Mode (Version 2) (Type = UnicodeString): Only populated for [RemoteInteractive] logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
** Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.
** If not a RemoteInteractive logon, then this will be &quot;-&quot; string.
* Virtual Account (Version 2) (Type = UnicodeString): a “Yes” or “No” flag, which indicates if the [Digital Identity] is a virtual account (e.g., &quot;[Managed Service Account]&quot;), which was introduced in [Windows 7] and [Windows Server 2008 R2] to provide the ability to identify the account that a given Service uses, instead of just using &quot;[NetworkService]&quot;.
* [Elevated Token] (Version 2) (Type = UnicodeString): a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and is used as a [Privileged Identity].
* [Impersonation] Level (Version 1, 2 Type = UnicodeString): can have one of these four values:
** SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
** SecurityIdentification (displayed as &quot;Identification&quot;): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
** SecurityImpersonation (displayed as &quot;Impersonation&quot;): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.
**SecurityDelegation (displayed as &quot;Delegation&quot;): The server process can impersonate the client's security context on remote systems.

!! [Windows Client Authentication Architecture]
[Windows Client Authentication Architecture] describes the components in involved with [{$pagename}]!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [4624(S): An account was successfully logged on|https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624|target='_blank'] - based on information obtained 2018-03-27
* [#2] - [Windows Security Log Event ID 4624|https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624|target='_blank'] - based on information obtained 2018-03-27
</pre>