Logon Types

Logon Events provide very specific information regarding the nature of account authorizations on a system. In addition to date, time, username, hostname, and success/failure status of a logon, Logon Events also enable us to determine by exactly what means a logon was attempted.

Location

%SYSTEM ROOT%\System32\winevt\logs\Security.evtx

Event ID 4624

Logon Type

Explanation

Logon via console

Network Logon

Batch Logon

Windows Service Logon

Credentials used to unlock screen; RDP session reconnect.

Network logon sending credentials (cleartext)

Different credentials used than logged on user

Remote interactive logon (RDP)

Cached credentials used to logon

Cached remote interactive (similar to Type 10)

Cached unlock (similar to Type 7)

Previous4624 - Authentication Success Next4625 - Authentication Failure

Last updated 2 years ago