In the Windows Event Viewer you will frequently see events 4624 and 4625 in the Security Log but the entry will only give you a number and one word description, which is not great.

logon types event 4624

In this article we explain what the different Logon Types mean:

What is Logon Type 0 – System?

Logon Type 0 – System means that the computer was started up.

What is Logon Type 2 – Interactive?

Logon Type 2 – Interactive means that a user tried to sign in.

What is Logon Type 3 – Network?

Logon Type 3 – Network means that a something connected to this machine through the network. In other words, a user or another computer connected to this computer remotely, likely through a SMB share or shared printer.

What is Logon Type 4 – Batch?

Logon Type 4 – Batch means that a Scheduled Task connected to this computer. Note that if the Scheduled Task is set to run only when a designated user is logged on, this event will NOT be logged.

What is Logon Type 5 – Service?

Logon Type 5 – Service means that a service started was started by the Service Control Manager and logged in to do whatever it has to do. Note that this event will only be logged if the service is started with a regular user account and it will NOT be logged if the service is running as a “special account” like the Local System or NT AUTHORITY\LocalService .

What is Logon Type 7 – Unlock?

Logon Type 7 – Unlock means that a user tried to sign in. This is different from an initial logon which would be logged as Logon Type 2.

What is Logon Type 8 – NetworkCleartext?

Logon Type 8 – NetworkCleartext means that a user connected to this computer without the credentials being encrypted. In todays world, this would be very unusual to see but it was common 20 years ago. You might see it when someone is setting up an IIS Web Server or during some testing, but moving passwords through any network in clear text is a very risky proposition, because it is so easy to use a “packet sniffer” like WireShark to read it.

Many programs that used to accept clear text passwords have disabled that possibility now:

In September 2021, we announced that effective October 1, 2022, we will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.

learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

What is Logon Type 9 – NewCredentials?

Logon Type 9 – NewCredentials means that someone started a program or connection using RUN AS.

What is Logon Type 10 – RemoteInteractive?

Logon Type 10 – RemoteInteractive means that someone has logged in using Remote Desktop (RDS), Terminal Services or Remote Assistance

There are a few more but they are even more rarely used.

Here are a few of the most common connection methods:

Connection MethodLogon TypeReusable Credentials on DestinationComments
Log on at consoleInteractiveCredentials ARE ExposedIncludes hardware remote access / lights-out cards and network KVMs.
RUNASInteractiveCredentials ARE Exposed
RUNAS /NETWORKNewCredentialsCredentials ARE ExposedClones current LSA session for local access, but uses new credentials when connecting to network resources.
Remote Desktop (success)RemoteInteractiveCredentials ARE ExposedIf the remote desktop client is configured to share local devices and resources, those may be compromised as well.
Remote Desktop (failure – logon type was denied)RemoteInteractiveCredentials are NOT ExposedBy default, if RDP logon fails credentials are only stored briefly. This may not be the case if the computer is compromised.
Net use * \\SERVERNetworkCredentials are NOT Exposed
Net use * \\SERVER /u:userNetworkCredentials are NOT Exposed
MMC snap-ins to remote computerNetworkCredentials are NOT ExposedExample: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRMNetworkCredentials are NOT ExposedExample: Enter-PSSession server
PowerShell WinRM with CredSSPNetworkClearTextCredentials ARE ExposedNew-PSSession server -Authentication Credssp -Credential cred
PsExec without explicit credsNetworkCredentials are NOT ExposedExample: PsExec \\server cmd
PsExec with explicit credsNetwork + InteractiveCredentials ARE ExposedPsExec \\server -u user -p pwd cmd Creates multiple logon sessions.
Remote RegistryNetworkCredentials are NOT Exposed
Remote Desktop GatewayNetworkCredentials are NOT ExposedAuthenticating to Remote Desktop Gateway.
Scheduled taskBatchCredentials ARE ExposedPassword will also be saved as LSA secret on disk.
Run tools as a serviceServiceCredentials ARE ExposedPassword will also be saved as LSA secret on disk.
Vulnerability scannersNetworkCredentials are NOT ExposedMost scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.
CREDIT: learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types



0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *