Windows Event ID 4624 displays a numerical value for the type of login that was attempted.
| 2 | Interactive logon. | A user logged on to this computer. A type 2 logon is logged when you log on (or attempt to log on) at a Windows computer’s local keyboard and screen. Credentials in memory and cached credentials. This event can also be generated using RunAs. |
| 3 | Network logon. | A user or computer logged on to this computer from the network. This logon occurs when you access remote file shares or printers. Credentials don’t get stored in lsass or on disk. Most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (logon type 8). |
| 4 | Batch logon. | Used for scheduled tasks, where processes may be executing on behalf of a user without their direct intervention. The Windows Scheduler service creates a new logon session when starting a scheduled task. Credentials hit disk and memory. LSA secrets are stored in an encrypted form in the registry, HKEY_LOCAL_MACHINE/Security/Policy/Secrets key. |
| 5 | Service logon. | Services and service accounts that log on to start a service. Credentials hit disk and memory. LSA secrets are stored in an encrypted form in the registry, HKEY_LOCAL_MACHINE/Security/Policy/Secrets key. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration. |
| 7 | Unlock. | The workstation was unlocked. Lack of a 7 event does not mean there was no unlock. |
| 8 | Network clear text logon. | user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). Also when using basic authentication to an IIS server. IPSec can mitigate. |
| 9 | New credentials-based logon. | This is used when you run an application using the RunAs command and specify the /netonly switch. When you start a program with RunAs using /netonly, the program starts in a new logon session that has the same local identity (this is the identity of the user you are currently logged on with), but uses different credentials (the ones specified in the runas command) for other network connections. Without /netonly, Windows runs the program on the local computer and on the network as the user specified in the runas command, and logs the logon event with type 2. |
| 10 | Remote Interactive logon. | A user logged on to this computer remotely using an RDP-based application like Terminal Services or Remote Desktop. 3rd party software like virtualization consoles and screen share can also generate it. Credentials were in memory (lsass) and also hit cached credentials. |
| 11 | Cached Interactive logon. | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected. Cached Credentials are stored in mscache2 format which contrary to popular belief can be cracked. |
“You own everything that happened to you.
Tell your stories. If people wanted you to write warmly about them, they should have behaved better” ~ Anne Lamott
NTRIGHTS - Edit user account rights.
RUNAS - Execute a program under a different user account.
WEVTUTIL - Retrieve information about event logs.
Windows Event IDs - Event Log.