Differences Between Account Logon and Logon / Logoff Events In The Windows Security Log
The two Windows Security Log Categories “Account Logon” and “Logon / Logoff” are related but distinct and the “Account Logon” category can be thought of as Authentication Events
What are the differences between authentication and logon?
In Windows when you access a computer in front of you or on a network you must first authenticate and then obtain a logon session on that computer
Authentication is a point in time Event
A logon session has a beginning and end
Authentication Events are not duplicates of logon Events as they may not take place on the computer in front of you
In the following, the first Event Id is for Windows 2000 and 2003, that is pre-Vista/2008
The second Event Id is the Vista/2008 Event Id
For example, in the Event Ids for bad password of (529/4625), the code of 529 is the old Event Id, while 4625 is the new Event Id; the new Event Id of 4625 is generated by adding 4096 to the old Event Id — 529 + 4096 = 4625
Workstation Logons
The simplest case is a logon at the console (interactive logon) of a standalone workstation (not a member of a domain)
The only type of logon in this case is a Local User Account defined Computer Management > Local Users and Groups which is the same as a SAM Account
In this case both the authentication and logon occur at the same machine therefore an Account Logon Event (680/4776) and Logon / Logoff (528/4624) are seen in the Security Logs
When the workstation is member of a domain it is possible to authenticate with either a local account or domain account
When a user specifies a Domain Account, the local workstation cannot perform the authentication because the account (and password hash) is not stored locally
Therefore the workstation requests authentication from a Domain Controller via Kerberos and the authentication Event (672/4768) is logged on the Domain Controller
Once the Domain Controller tells the workstation that the user is authenticated the workstation creates a logon session and logs a logon Event (528/4624) in its Security Log
When “interactive logons” finally logoff, the workstation will record a “logoff initiated” Event (551/4647) followed by the actual logoff Event (538/4634)
The logon and logoff Events are correlated by the Logon ID that identifies the logon session
Accessing Member Servers
After a successful workstation logon it is normal to re-connect to shared folders by obtaining a logon session – in this case a “network logon” session, which only lasts as-long-as the file is open
Hence why file servers have repeated logon / logoff Events for the same user through the course of the day
With network logons, Windows Server 2003 logs 540 instead of 528 while Windows Server 2003 logs 4624 for all types of logons
More often a logon to a member server is via Remote Desktop
In this case the same 528/4624 Event is logged but the logon type is “remote interactive” (aka Remote Desktop)
Logon Type specified in the logon Event 528/540/4624 are listed in short:
Logon Type | Description |
---|---|
2 | Interactive (logon at keyboard and screen of system) |
3 | Network (connection to shared folder) |
4 | Network (connection to shared folder) |
5 | Service (Service start-up) |
10 | Remote Interactive (Terminal Services, Remote Desktop) |
Events at the Domain Controllers
When you logon to a workstation or access a shared folder, you are not “logging onto the domain”
There’s no such concept
Each Windows computer is responsible for maintaining its own set of active logon sessions
After servicing an authentication request, the domain controller forgets about the user; and doesn’t know how you were logon; console, remote desktop, network etc. nor when you logoff
However domain controller logon / logoff pairs are seen immediately following authentication Events for the same user
These logon / logoff are generated by the group policy client on the local computer retrieving the applicable group policy objects from the domain controller so that policy can be applied for that user and approximately every 90 minutes thereafter
Other service ticket related Events are seen on Domain Controllers and require in-depth discussion of Kerberos and how it’s implemented which is beyond the scope of this article
Basically, after the initial authentication to the domain controller which logs 672/4768 a service ticket 673/4769 for every computer logon including a workstation and the domain controller itself for the purpose of group policy and any members server such as in a connection with shared folder access
As computer remain up and running, tickets expire and are renewed generating further Account Logon Events on Domain Controllers
Summary
Both Account Logon (authentication) and Logon/Logoff categories provide needed information and neither can replace the other
And ideally, both categories of Events from all computers – workstations and members servers should be collected
To determine definitely how a user logged on you have to find the logon Event on the computer where the account logged on
To determine when a user logged off you have to go to the workstation / member server and find the “user initiated logoff” Event (551/4647)
Event List (as discussed in this article)
Event Id | Category\Subcategory | Description |
---|---|---|
Windows Server 2000-2003 / Windows XP |
||
528 | Logon/Logoff | Successful Logon |
538 | Logon/Logoff | User Logoff |
540 | Logon/Logoff | Successful Network Logon |
551 | Logon/Logoff | User initiated logoff |
672 | Account Logon | Authentication Ticket Granted |
673 | Account Logon | Service Ticket Granted |
680 | Account Logon | Account Used for Logon by |
Windows Server 2008 / Windows Vista / Windows 7 (2000/2003 Event Id + 4096) |
||
4624 | Logon/Logoff\Logon | An account was successfully logged on |
4634 | Logon/Logoff\Logon | An account was logged off |
4647 | Logon/Logoff\Logon | User initiated logoff |
4768 | Account Logon\Kerberos Authentication Service | A Kerberos authentication ticket (TGT) was requested |
4769 | Account Logon\Kerberos Service Ticket Operations | A Kerberos service ticket was requested |
4776 | Account Logon\Credential Validation | The domain controller attempted to validate the credentials for an account |
Notes
To return more detailed list of all security-auditing Event entries, run the following command:
wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
Argent for Compliance uses this format for filter Event via detail, see:
UserData Variables
https://help.argent.com/#compliance_userdata
To return a list of all security-auditing categories and sub categories, run the following command
auditpol /list /subcategory:*