When a logon session is terminated, event 4634 is generated. This is not to be confused with event 4647, where a user initiates the logoff (i.e., a specific account uses the logoff function). Here, it is simply recorded that a session no longer exists as it was terminated.
Does Windows log an event when a user logs off a Windows computer?
If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur. ANONYMOUS LOGONs are routine events on Windows networks.
What is session ID 0x3e7?
Each logon session has a locally-unique identifier (LUID). For example, the LUID for the System account’s logon session is always 0x3e7 (999 decimal), the LUID for Network Service’s session is 0x3e4 (996), and Local Service’s is 0x3e5 (997). Most other LUIDs are randomly generated.
What are logon events?
Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all.
What are the different login types?
Logon Types
| Logon Number | Logon Type |
|---|---|
| 0 | Used only by the System account |
| 2 | Interactive: Used to log on at the local console |
| 3 | Network: Used to access a Windows resource (e.g., shared folder) from a system on the network |
| 4 | Batch Job: Used to run a scheduled task as a specified account |
What are the different logon types?
In this article
| Logon type | # | Authenticators accepted |
|---|---|---|
| Interactive (also known as, Logon locally) | 2 | Password, Smartcard, other |
| Network | 3 | Password, NT Hash, Kerberos ticket |
| Batch | 4 | Password (stored as LSA secret) |
| Service | 5 | Password (stored as LSA secret) |
How can I see who logged into my computer?
View Logon Events Hit Start, type “event,” and then click the “Event Viewer” result. In the “Event Viewer” window, in the left-hand pane, navigate to the Windows Logs > Security.
What is the logon event 4624 in Windows 10?
Also see event ID 4647 which Windows logs instead of this event in the case of interactive logons when the user logs out. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID. For network connections (such as to a file server), it will appear that users log on and off many times a day.
What is event 4634 and what does it mean?
When a logon session is terminated, event 4634 is generated. This is not to be confused with event 4647, where a user initiates the logoff (i.e., a specific account uses the logoff function). Here, it is simply recorded that a session no longer exists as it was terminated.
What is the importance of logoff events 4634 and 4647?
This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account. You can tie this event to logoff events 4634 and 4647 using Logon ID. Win2012 adds the Impersonation Level field as shown in the example.
What does the logon ID value 4624 mean?
It may be positively correlated with a “ 4624: An account was successfully logged on.” event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. Note For recommendations, see Security Monitoring Recommendations for this event.
