Logon ID

Key Points

  1. Definition: The "Logon ID" is a unique identifier that Windows assigns to each user login session. Whenever a user logs on, a new Logon ID is generated and recorded in the security event log.

  2. Utility: It is crucial in tracking user activities during a session. By following the trail of a specific Logon ID, investigators can piece together a user's actions on a system.

  3. Event Logs: This field is found in various Windows Security event log entries, such as Event IDs 4624 (logon), 4634 (logoff), and others related to account use, like 4648 (explicit credentials use).

  4. Correlation: The Logon ID can be used to correlate login events with other activities, such as file accesses, network activities, or system changes logged under the same session ID.

Considerations

  • Persistence: Logon IDs persist until the user logs off or the system is restarted. They are not reused across reboots.

  • Multiple Sessions: Users can have multiple active sessions with different Logon IDs. This is common in remote desktop scenarios.

  • Event Overlap: The same Logon ID may appear in events on multiple computers in network logon scenarios.

  • Tools for Analysis: Utilize tools like Event Viewer, PowerShell, or third-party utilities for efficient analysis of event logs.

Technical Explanation

  • Format: The Logon ID is typically a hexadecimal value (e.g., 0x3E7).

  • Locating in Logs: In Event Viewer, look for the 'New Logon' section in security events, where 'Logon ID' is listed.

  • Example Log Entry:

    yamlCopy codeAn account was successfully logged on.

Subject:
  Security ID: SYSTEM
  Account Name: WIN-SERVER$
  Account Domain: WORKGROUP
  Logon ID: 0x3E7

Logon Type: 2
New Logon:
  Security ID: ACME-FRONTDESK\JohnD
  Account Name: JohnD
  Account Domain: ACME-FRONTDESK
  Logon ID: 0x4F3C2

Using Logon ID in Investigations

  1. Initial Detection: Identify a suspicious logon event. Note the Logon ID.

  2. Activity Mapping: Search for the same Logon ID in other security events to map the user's activities.

  3. Cross-Referencing: In cases of network logons, check corresponding Logon IDs on other systems.

  4. Building Timelines: Combine data from various logs to construct a timeline of user activities for a particular session.

PreviousAuthentications (Windows Event Log)NextGroup Membership

Last updated

Was this helpful?