Logon Types

Description: Logon Events can give us very specific information regarding the nature of account authorizations on a system if we know where to look and how to decipher the data that we find. In addition to telling us the Date, Time, Username, Hostname, and Success/Failure status of a logon, Logon Events also enables us to determine by exactly what means a logon was attempted.

Location:

  • C:\Windows\System32\Winevt\Logs\Security.evtx

Notes:

  • Event ID: 4624 - An account was successfully logged on.

Logon Type Explanation
2 Logon via Console
3 Network Logon
4 Batch Logon
5 Windows Service Logon
7 Credentials used to Unlock Screen
8 Network Logon sending Credentials
9 Different Credentials used than Logged on User
10 Remote Interactive Logon (RDP)
11 Cached Credentials used to Logon
12 Cached Remote Interactive (Similar to Type 10)
13 Cached Unlock (Similar to Type 7)

Analysis: The security.evtx log generates a 4624 event for every successful logon attempt to the local computer. This event isn't limited to when an end user logs into their workstation from a console but also includes authentication events via other mechanisms. Windows Service Logons inparticular tend to generate a large number of 4624 events.

We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client, double-clicking an .evtx file will automatically open the log inside of the Saved Logs folder in Event Viewer.



We can filter the security.evtx log to only show 4624 events by selecting Filter Current Log... and inputing 4624 in the text box labled <All Event IDs>.



We can determine how a logon was attempted by reviewing the decimal value of Logon Type. In the example below, the we can see that we're reviewing a Windows Service Logon.



In many circumstances, we're only interested in viewing information for a specific type of logon. The default filtering options within Event Viewer don't natively provide that type of granularity, so well need to manually edit our search query using XML. To filter by a specific logon type: Modify your filter to only show 4624 events --> Select Filter Current Log... --> Select the XML tab --> Click the checkbox next to Edit query manually --> Select Yes to accept the warning prompt --> Copy and *[EventData[Data[@Name='LogonType'] and (Data='2')]] and paste it right after your initial select statement *[System[(EventID=4624)]] --> Select Ok. Modify the decimal value of Data as needed for your query.