This article explains the various Windows logon types and their corresponding logon codes, offering insights into how users access Windows systems and the security implications of each.
Windows Logon Types and Logon Codes are crucial for system security, to help administrators monitor and analyze user authentication events. These logs are stored in the Event Viewer and can help you see login attempts, successful authentications and potential security threats.
This article explains Windows logon types, their codes and how to read them easily.
Windows logon types define how a user logs into a system. Each logon type corresponds to an activity, like a local logon, remote desktop or network authentication.
| Logon Type | Integer Value | Description | Use Case |
|---|---|---|---|
| Interactive | 2 | Occurs when a user logs on physically at the console or keyboard. | Local access by employees or users. |
| Network | 3 | Occurs when accessing shared resources over the network (e.g., accessing a file share). | Common in server environments and file-sharing scenarios. |
| Batch | 4 | Used for scheduled tasks or batch jobs. | Automation and scheduled scripts. |
| Service | 5 | Initiated by a service that runs as a specific user account. | Background services and applications. |
| Unlock | 7 | Occurs when a user unlocks a workstation. | Resuming activity on a locked system. |
| NetworkClearText | 8 | Network logon using plaintext credentials. | Generally considered insecure; typically used in older systems. |
| NewCredentials | 9 | Occurs when credentials are reused for outbound connections. | RunAs commands with the /netonly option. |
| Remote Interactive | 10 | Used for Remote Desktop Protocol (RDP) sessions. | Remote server or desktop management. |
| CachedInteractive | 11 | Used when a domain controller is unavailable, and cached credentials are used for login. | Offline domain logins. |
Open Event Viewer:
Press Windows Key + R, type eventvwr, and press Enter.
Navigate to Security Logs:
Go to Windows Logs > Security in the left pane.
Find Relevant Events:
Look for Event IDs like 4624 (Logon) or 4634 (Logoff) for detailed logon information.
Analyze the Log Details:
In the event details, look for the Logon Type field to identify the specific logon method.
| Event ID | Event Name | Description | Key Details |
|---|---|---|---|
| 4624 | Successful Logon | A user successfully logged on to the system. | Includes logon type, user account, source IP, and authentication method. |
| 4625 | Failed Logon Attempt | A failed attempt was made to log on to the system. | Shows logon type, account name, status, failure reason, and source. |
| 4634 | Logoff Event | A user logged off from the system. | Identifies the account and session terminated. |
| 4647 | User-Initiated Logoff | A user initiated a logoff from their session. | Specifies the account that initiated the logoff. |
| 4672 | Special Privileges Assigned | Special privileges assigned to a new logon session (e.g., admin rights). | Indicates assignment of elevated privileges to an account at logon. |
Monitor for Unauthorized Access:
Look at failed logon attempts (Event ID 4625) to see brute-force attacks.
Identify Unusual Activity:
Investigate unexpected logon types, like Type 8 (ClearText logon) as they might be insecure practices.
Track Remote Logins:
Keep an eye on Type 10 (RDP logon) to see unauthorized remote access.
Audit Service Activity:
Regularly review Type 5 (Service logon) for unexpected services running under specific accounts.
Local logons use Logon Type 2, while remote logons often use Type 3 (network) or Type 10 (RDP).
Cached logons allow users to authenticate even when the domain controller is unavailable, useful for laptops in offline mode.
ClearText logons transmit credentials in plaintext, which can be intercepted. Avoid using Type 8 whenever possible.
Look for Event ID 4625 in the Security logs of the Event Viewer to identify failed logons.
Use tools like PowerShell, Splunk, or Azure Sentinel to automate logon log analysis for large environments.