Windows Logon Types and Logon Codes
This article explains the various Windows logon types and their corresponding logon codes, offering insights into how users access Windows systems and the security implications of each.
Windows Logon Types and Logon Codes are important elements of system security, helping administrators monitor and analyze user authentication events. These logs are stored in the Event Viewer and can help identify login attempts, successful authentications, and potential security threats.
This article explains Windows logon types, their associated codes, and how to interpret them easily.
What are Windows Logon Types?
Windows logon types define the method used for a user to log into a system. Each logon type corresponds to a specific activity, such as a local logon, remote desktop, or network authentication.
Common Windows Logon Types and Their Codes
| Logon Type | Integer Value | Description | Use Case |
| Interactive | 2 | Occurs when a user logs on physically at the console or keyboard. | Local access by employees or users. |
| Network | 3 | Occurs when accessing shared resources over the network (e.g., accessing a file share). | Common in server environments and file-sharing scenarios. |
| Batch | 4 | Used for scheduled tasks or batch jobs. | Automation and scheduled scripts. |
| Service | 5 | Initiated by a service that runs as a specific user account. | Background services and applications. |
| Unlock | 7 | Occurs when a user unlocks a workstation. | Resuming activity on a locked system. |
| NetworkClearText | 8 | Network logon using plaintext credentials. | Generally considered insecure; typically used in older systems. |
| NewCredentials | 9 | Occurs when credentials are reused for outbound connections. | RunAs commands with the /netonly option. |
| Remote Interactive | 10 | Used for Remote Desktop Protocol (RDP) sessions. | Remote server or desktop management. |
| CachedInteractive | 11 | Used when a domain controller is unavailable, and cached credentials are used for login. | Offline domain logins. |
How to View Windows Logon Types and Codes
- Open Event Viewer:
- Press Windows Key + R, type
eventvwr, and press Enter.
- Press Windows Key + R, type
- Navigate to Security Logs:
- Go to Windows Logs > Security in the left pane.
- Find Relevant Events:
- Look for Event IDs like 4624 (Logon) or 4634 (Logoff) for detailed logon information.
- Analyze the Log Details:
- In the event details, look for the Logon Type field to identify the specific logon method.
Common Event IDs Related to Logon Types
- Event ID 4624: Successful logon.
- Event ID 4625: Failed logon attempt.
- Event ID 4634: Logoff event.
- Event ID 4647: User-initiated logoff.
- Event ID 4672: Special privileges assigned to a new logon.
Security Implications of Logon Types
- Monitor for Unauthorized Access:
- Analyze failed logon attempts (Event ID 4625) to identify potential brute-force attacks.
- Identify Unusual Activity:
- Investigate unexpected logon types, such as Type 8 (ClearText logon), as they may indicate insecure practices.
- Track Remote Logins:
- Keep an eye on Type 10 (RDP logon) to detect unauthorized remote access.
- Audit Service Activity:
- Regularly review Type 5 (Service logon) for unexpected services running under specific accounts.
FAQ
-
How do I differentiate between local and remote logons?
Local logons use Logon Type 2, while remote logons often use Type 3 (network) or Type 10 (RDP).
-
What is the significance of cached logons (Type 11)?
Cached logons allow users to authenticate even when the domain controller is unavailable, useful for laptops in offline mode.
-
Why is Type 8 (ClearText Logon) insecure?
ClearText logons transmit credentials in plaintext, which can be intercepted. Avoid using Type 8 whenever possible.
-
How can I track failed logon attempts?
Look for Event ID 4625 in the Security logs of the Event Viewer to identify failed logons.
-
What tools can help analyze logon events?
Use tools like PowerShell, Splunk, or Azure Sentinel to automate logon log analysis for large environments.
