Windows Logon


Windows Logon is when an entity is involved Authentication or Impersonation event on Microsoft Windows (either Windows Client or Windows Server)

This event is generated when a Windows Logon session is created. It is generated on the Hostname that was accessed.

The subject fields indicate the Digital Identity on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the Windows Logon Type that occurred. The most common types are 2 (Interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

Fields for Windows Logon#

Event 4624 and Event 4625 are the Events recorded as a Windows Security Log Event (Microsoft Windows Logging) for Windows Logon The fields below are within the event The user who just logged on is identified by the Account Name and Account Domain. You can determine whether the Digital Identity is local or domain by comparing the Account Domain to the computer name. If they match, the Digital Identity is a local Digital Identity on that system, otherwise a AD DOMAIN account.
  • Security Identifier (SID)
  • Account Name (Type = UnicodeString): the name of the Digital Identity that reported information about Authentication.
  • Account AD DOMAIN (Type = UnicodeString): subject’s domain or computer name. Formats vary, and include the following:
  • Logon ID (Type = HexInt64): Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”
  • Logon Information Version 2 are described in Windows Authentication Package
  • Windows Logon Types Version 0, 1, 2 (Type = UInt32): the Windows Logon Type which was performed.
  • Linked Logon ID Version 2 (Type = HexInt64): A Hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “0x0”.
  • Network Account Name (Version 2) (Type = Unicode]String): Username that will be used for outbound (network) connections. Valid only for NewCredentials logon type.
  • Network Account Domain (Version 2) (Type = UnicodeString): AD DOMAIN for the user that will be used for outbound (network) connections. Valid only for NewCredentials logon type.
    • If not NewCredentials logon, then this will be a "-" string.
  • Logon GUID (Type = GUID): a GUID that can help you correlate this event with another event that can contain the same Logon GUID, “4769(S, F): A Kerberos service ticket was requested event on a Domain Controller.
  • It also can be used for correlation between a Event 4624 and several other events (on the same computer) that can contain the same Logon GUID, “4648(S): A logon was attempted using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.”
    • This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
  • Restricted Admin Mode (Version 2) (Type = UnicodeString): Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
    • Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.
    • If not a RemoteInteractive logon, then this will be "-" string.
  • Virtual Account (Version 2) (Type = UnicodeString): a “Yes” or “No” flag, which indicates if the Digital Identity is a virtual account (e.g., "Managed Service Account"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService".
  • Elevated Token (Version 2) (Type = UnicodeString): a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and is used as a Privileged Identity.
  • Impersonation Level (Version 1, 2 Type = UnicodeString): can have one of these four values:
    • SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
    • SecurityIdentification (displayed as "Identification"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
    • SecurityImpersonation (displayed as "Impersonation"): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.
    • SecurityDelegation (displayed as "Delegation"): The server process can impersonate the client's security context on remote systems.

Windows Client Authentication Architecture#

Windows Client Authentication Architecture describes the components in involved with Windows Logon

More Information#

There might be more information for this subject on one of the following: