When you are searching Logon or Logoff event ID numbers, you may find a lot of old sites talking about ID 528 and ID 538.
However, since Windows 7 and Windows Server 2008 R2, these event IDs don’t apply anymore and are completely useless for those more recent operating systems.
The Advanced Security Audit Policy Settings link is an exhaustive list of all new audit IDs.
However, like for event ID 528, logon types still apply to the new event ID 4624. You can find them at the end of this post.
For example, if you want to search for interactive logons you can use the following command-line.
Get-WinEvent -FilterHashtable @{Logname='Security';ID='4624';Data='3'}
And if you want to search for network logons you can use the following command-line.
Get-WinEvent -FilterHashtable @{Logname='Security';ID='4624';Data='2'}
Just in case you wonder if there is a match between old and new IDs, here is a short list:
- 512 / 4608 Startup
- 513 / 4609 Shutdown
- 528 / 4624 Logon
- 538 / 4634 Logoff
- 551 / 4647 Begin Logoff
And here is what I gathered from the link above concerning Logon events.
| Event ID | Description |
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4634 | An account was logged off. |
| 4647 | User initiated logoff. |
| 4648 | A logon was attempted using explicit credentials. |
| 4649 | A replay attack was detected. |
| 4675 | SIDs were filtered. |
| 4774 | An account was mapped for logon. |
| 4775 | An account could not be mapped for logon. |
| 4776 | The domain controller attempted to validate the credentials for an account. |
| 4777 | The domain controller failed to validate the credentials for an account. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 4964 | Special groups have been assigned to a new logon. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
| 6272 | Network Policy Server granted access to a user. |
| 6273 | Network Policy Server denied access to a user. |
| 6274 | Network Policy Server discarded the request for a user. |
| 6275 | Network Policy Server discarded the accounting request for a user. |
| 6276 | Network Policy Server quarantined a user. |
| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. |
| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. |
| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. |
| 6280 | Network Policy Server unlocked the user account. |
And here is the list of logon types for event ID 4624.
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
More about
Search the event log with the Get-WinEvent PowerShell cmdlet
Fast event log search in PowerShell with the FilterHashtable parameter
itluke.online 