“New” audit Logon/Logoff and other event IDs

When you are searching Logon or Logoff event ID numbers, you may find a lot of old sites talking about ID 528 and ID 538.
However, since Windows 7 and Windows Server 2008 R2, these event IDs don’t apply anymore and are completely useless for those more recent operating systems.

The Advanced Security Audit Policy Settings link is an exhaustive list of all new audit IDs.

However, like for event ID 528, logon types still apply to the new event ID 4624. You can find them at the end of this post.

For example, if you want to search for interactive logons you can use the following command-line.

Get-WinEvent -FilterHashtable @{Logname='Security';ID='4624';Data='3'}

And if you want to search for network logons you can use the following command-line.

Get-WinEvent -FilterHashtable @{Logname='Security';ID='4624';Data='2'}

Just in case you wonder if there is a match between old and new IDs, here is a short list:

  • 512 / 4608 Startup
  • 513 / 4609 Shutdown
  • 528 / 4624 Logon
  • 538 / 4634 Logoff
  • 551 / 4647 Begin Logoff

And here is what I gathered from the link above concerning Logon events.

Event ID Description
4624 An account was successfully logged on.
4625 An account failed to log on.
4634 An account was logged off.
4647 User initiated logoff.
4648 A logon was attempted using explicit credentials.
4649 A replay attack was detected.
4675 SIDs were filtered.
4774 An account was mapped for logon.
4775 An account could not be mapped for logon.
4776 The domain controller attempted to validate the credentials for an account.
4777 The domain controller failed to validate the credentials for an account.
4778 A session was reconnected to a Window Station.
4779 A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
4964 Special groups have been assigned to a new logon.
5378 The requested credentials delegation was disallowed by policy.
5632 A request was made to authenticate to a wireless network.
5633 A request was made to authenticate to a wired network.
6272 Network Policy Server granted access to a user.
6273 Network Policy Server denied access to a user.
6274 Network Policy Server discarded the request for a user.
6275 Network Policy Server discarded the accounting request for a user.
6276 Network Policy Server quarantined a user.
6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 Network Policy Server granted full access to a user because the host met the defined health policy.
6279 Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 Network Policy Server unlocked the user account.

And here is the list of logon types for event ID 4624.

2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

More about

Search the event log with the Get-WinEvent PowerShell cmdlet

Fast event log search in PowerShell with the FilterHashtable parameter

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s